September 30, 2016
Six years ago, the Chinese military hacked Google, Yahoo and other technology companies. Google, whose co-founder Sergey Brin vowed “never again,” hired hundreds of security engineers to make good on that promise. Yahoo, under the leadership of Marissa Mayer, however, focused on other problems the ailing company faced and reportedly failed to take more stringent security measures. Now, Yahoo reports another serious breach, undetected for two years, with 500 million users’ credentials stolen. Yahoo and the FBI are investigating.
The New York Times notes that “Yahoo’s security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.” Company spokeswoman Suzanne Philion says that, in early 2014, the company invested $10 million in encryption technology, and “its investment in security initiatives will have increased by 60 percent from 2015 to 2016.” But that, apparently, was not sufficient.
In fact, inside sources say that the internal name for Yahoo’s security team was the “Paranoids,” and that their requests were overridden because more protection would have slowed down products and made them more difficult to use. Mayer also “repeatedly clashed” with security head Alex Stamos, “denied Yahoo’s security team financial resources” and rejected an automatic reset of all user passwords.
The breach, says NYT, is “the latest black eye” for Mayer, whose “failed turnaround effort resulted in Yahoo’s agreement in July to sell its core operations to Verizon for $4.8 billion.” It isn’t clear whether this latest breach will impact the sale. Meanwhile, the Paranoids, say inside sources, “have been routinely hired away by competitors like Apple, Facebook and Google.”
Although Yahoo claimed that the breach was the work of a state-sponsored group, The Wall Street Journal reports that security firm InfoArmor has determined it is the work of “Group E,” Eastern European criminals who then sold the database at least three times, including once to a “state-sponsored actor.”
InfoArmor chief intelligence officer Andrew Komarov, whose company has been tracking Group E for three years, linked them to “hacks that stole more than two billion records from about a dozen websites, including LinkedIn, Dropbox and Myspace.”
Komarov says Group E no longer wants to sell the entire database but rather to “extract something from the dump for significant amounts of money,” with prices “based on the value of the target.” InfoArmor’s analysis “still leaves many questions unanswered, including how InfoArmor obtained access to the database and why Yahoo didn’t uncover the magnitude of the breach for nearly two years.”
Democratic senator from Vermont Patrick Leahy and five other Democratic senators sent a letter to Mayer “demanding more details about the 2014 breach and what Yahoo was doing to prevent a recurrence,” and Virginia senator Mark Warner “asked the Securities and Exchange Commission to investigate Yahoo’s disclosures to investors regarding the incident.”
Yahoo is also being targeted by several class-action lawsuits.