Yahoo Repeatedly Didn't Invest In Security, Rejected Bare Minimum Measure To Reset All User Passwords: NYTimes

If it wasn't already enough that the mega breach at Yahoo affects over 500 million users, a new investigative report on The New York Times states the extent to which Yahoo didn't care about its users' security (Editor's note: the link could be paywalled; alternate source). The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products. Despite Edward Snowden warning Yahoo that it was too easy of a target for hackers, the company took one year to hire a new chief information officer. The company hired Alex Stamos, who is widely respected in the industry. But Stamos soon left partly due to clashes with Mayer, The Times adds. And it gets worse. From the report:But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems. [...] But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.

Bad CEO is bad

[networkBoy]

topic says it all...

Mayer 2020?

[OverlordQ]

Maybe she'll go the route of Carly Fiorina and after she's done running companies into the ground she'll try at politics.

Re:So Where Was the Board?

[phantomfive]

Why do you think this will affect profitability? Did LinkedIn become less profitable when they leaked everyone's user accounts? Or did everyone just forget about that and move on?

Re:So Where Was the Board?

[PCM2]

Well, for starters, LinkedIn only leaked data for around 6 million accounts. Yahoo leaked data for half a billion accounts. Also, considering that people use Yahoo for their personal email and to track their finances, the data on Yahoo was potentially much more sensitive than anything on LinkedIn.

But just like Mylan

[ThatsNotPudding]

But just like the Mylan CEO and Martin Shkreli; nothing, nothing, NOTHING of any import will happen to Marissa Myer.

Just as morality doesn't apply to the 1%, neither does laws of the 99%.

Re:But just like Mylan

The ex-CEO of Tyco, Dennis Kozlowski, served eight years in prison. My guess the whole time he was in there he was constantly shouting "WTF!" as various CEO's came and went unscathed for frauds much larger than his...

Re:lawsuits

[Oswald+McWeany]

On the surface it sounds good; but if companies get sued for being hacked then more people will try hacking companies that piss them off (or in some cases maybe who are rivals).

Get fired? Hack your employer so that they get sued as payback. Rival kicking your arse? Hire some Russian miscreants to hack them.

Re:Not a surprise

[lgw]

Forcing users to change passwords regularly is a security anti-pattern. It produces lower security overall. It's something IT does to express their loathing of the userbase, not a security practice.

Make users change passwords when there's evidence of a breach, and only then.