Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Repeatedly Didn't Invest In Security, Rejected Bare Minimum Measure To Reset All User Passwords: NYTimes

Posted by msmash on from the bad-blood dept.

If it wasn't already enough that the mega breach at Yahoo affects over 500 million users, a new investigative report on The New York Times states the extent to which Yahoo didn't care about its users' security (Editor's note: the link could be paywalled; alternate source). The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products. Despite Edward Snowden warning Yahoo that it was too easy of a target for hackers, the company took one year to hire a new chief information officer. The company hired Alex Stamos, who is widely respected in the industry. But Stamos soon left partly due to clashes with Mayer, The Times adds. And it gets worse. From the report:But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems. [...] But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.

10 of 129 comments (clear)

  1. Short sighted by sjbe · · Score: 5, Funny

    Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.

    At my company we call this "stepping over a dollar to pick up a nickel".

    1. Re:Short sighted by Oswald+McWeany · · Score: 4, Funny

      Mine will hire an outside contractor to pick up both for $20- and then let them keep the dollar and the nickel.

      --
      "That's the way to do it" - Punch
  2. Re:Bad CEO is bad by elrous0 · · Score: 5, Funny

    Perhaps you missed the fact that this CEO is a *WOMAN*, which makes her a hero and an inspiration.

    This is somehow all the evil male patriarchy's fault.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  3. Not a surprise by ErichTheRed · · Score: 5, Interesting

    Not one organization I have ever worked for has seriously cared about IT security. The second anyone mentions security, the next question is how much it costs. So I don't think it's a Yahoo thing - I think it happens everywhere. Even banks and healthcare companies, who have some of the most regulated data in the world don't go beyond lip service and a few token defenses to protect it. Companies will continue to offshore vital functions to companies that don't care what happens to data. They'll also continue to ignore key parts of new product development relating to security. I think one of the problems is that IT security guys can't articulate this to executives. They're either from the physical security world, or they're so tech-focused that they can't give a coherent presentation to people who only understand what dollars are.

    Companies have insurance, and it's always cheaper to say "oops" and give out free credit monitoring for a year than it is to build a serious defense against security breaches. Until it becomes too expensive to ignore, whether in the form of lost business, fines or lost intellectual property, nothing will change.

    1. Re:Not a surprise by pr0fessor · · Score: 4, Interesting

      We take security seriously where I work and have good security practices... That being said there are still management types who always want to find a loophole because being secure is to burdensome. They want to share logins, have password that never expire, put data on unencrypted thumb drives, etc...

      I usually just remind them that many of our clients want third parties to certify our security practices and if we can't keep that up we will not have clients and they can debate security all they want on the unemployment line.

    2. Re:Not a surprise by lgw · · Score: 5, Insightful

      Forcing users to change passwords regularly is a security anti-pattern. It produces lower security overall. It's something IT does to express their loathing of the userbase, not a security practice.

      Make users change passwords when there's evidence of a breach, and only then.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  4. Re:So Where Was the Board? by phantomfive · · Score: 4, Insightful

    Why do you think this will affect profitability? Did LinkedIn become less profitable when they leaked everyone's user accounts? Or did everyone just forget about that and move on?

    --
    "First they came for the slanderers and i said nothing."
  5. Re:So Where Was the Board? by PCM2 · · Score: 5, Insightful

    Well, for starters, LinkedIn only leaked data for around 6 million accounts. Yahoo leaked data for half a billion accounts. Also, considering that people use Yahoo for their personal email and to track their finances, the data on Yahoo was potentially much more sensitive than anything on LinkedIn.

    --
    Breakfast served all day!
  6. Amazing by LichtSpektren · · Score: 4, Funny

    It's in fact possible to be even less competent than Meg Whitman and Carly Fiorina.

  7. The invisible hand strikes. by Ungrounded+Lightning · · Score: 4, Interesting

    Not one organization I have ever worked for has seriously cared about IT security.

    When it comes to rolling out new products, ignoring security is the norm.

    This is because the "window of opportunity" is only "open" for a short time - until the first, second, and maybe third movers go through it and grab most of the potential customers. Companies that spent the time to get the security right arrive at the window after it closes.

    This happens anywhere the customers don't test for and reject non-secure versions of the "new shiny" - which means enterprises sometimes hold suppliers' feet to the fire (if the new thing doesn't give them an advantage commensurate with, or perceived as outweighing, the risk) but consumer stuff goes out wide open.

    Then, if you're lucky and the supplier is clueful, they retrofit SOME security before the bad guys exploit enough holes to kill them.

    I expect this will continue until several big-name tech companies get an effective corporate death penalty in response to the damages their customer base took from their security failings. Then the financial types will start including having a good, and improving with time, security story (no doubt called "best practices") among their check boxes for funding.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way