Yahoo could have reset all user passwords two years ago, but chose not to

Yahoo insiders say that protecting against hackers took a back seat.

Graham Cluley
Graham Cluley
@[email protected]

Yahoo could have reset all user passwords two years ago, but chose not to

The New York Times has published a story quoting unnamed Yahoo insiders, and it doesn’t paint a pretty picture of the firm’s security priorities.

There’s lot to ponder in the article, but one thing that sprung out to me was a section which described how CEO Marissa Mayer clashed with Yahoo CISO Alex Stamos (who left to become Facebook’s security chief in mid-2015, in a move widely applauded by the infosec community).

But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

In 2009, Yahoo is believed to have been one of the many tech firms (including Google who famously went public about it) who suffered a sophisticated attack from Chinese hackers dubbed “Operation Aurora”.

In 2012, 450,000 Yahoo email addresses and passwords were stolen by hackers after the company’s sloppy security was exposed.

Sign up to our free newsletter.
Security news, advice, and tips.

In 2013, NSA whistleblower Edward Snowden revealed how the NSA and GCHQ had exploited Yahoo’s systems, and were capable of intercepting users’ messages as they travelled between the company’s network of data centers.

Meanwhile, Yahoo was being pretty dumb – what with its moronic recycled email address scheme, Marissa Mayer not bothering to have a passcode on her smartphone, and Yahoo rewarding vulnerability researchers who found a serious bug that could lead to account compromise a pathetic $12.50 t-shirt.

The only silver lining was that Yahoo finally decided to switch on HTTPS by default in January 2014, although it was shockingly late to that particular party.

As we were to learn last week, however, there was more trouble just around the corner.

In late 2014, as we now know, half a billion account details were stolen after a massive security breach that the company is blaming on a state-sponsored attack.

In 2016, Yahoo is trying to sell itself to Verizon for $4.8 billion.

I wonder if Marissa Mayer wishes now that she had told Yahoo’s security team to reset all users’ passwords back then.

Companies either get security or they don’t. If the New York Times story is to be taken at face value, it’s beginning to sound like the problem with security not being treated as a priority at Yahoo was coming from the very top.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

8 comments on “Yahoo could have reset all user passwords two years ago, but chose not to”

  1. BaliRob

    I have sent thousands of email over the past 8 years or so ALL from Indonesia.
    At the time of this malfeasance my account was hacked and my Contact List sold
    to two different spam artists – leaving me to have to apologise to everyone – some of
    whom I was not particularly friendly with. MY POINT AT LAST is that when I researched
    my SENT mail history (which one can on Yahoo) of all the thousands of servers listed
    all came from Indonesia EXCEPT for two (adjacent to each other) they being CANADA.

    No algorithm to see this IMMEDIATELY by Yahoo ?? Those that criticize Yahoo for not
    having interest in this respect are pretty near the mark – especially when Yahoo make it almost impossible to contact them and to inform them of this type of worrying behaviour.

  2. Simon

    Hmm, any wonder why Yahoo! kept sinking under Ms. Mayer's tenure…

    The fact that we all know about Yahoo's handling of this incident dating three years back look far worse to;

    1. it's users
    2. it's investors, and
    3. to everyone else

    In any case, all the of the above would (or should) now be abandoning Yahoo! in droves.

    If Yahoo! didn't take basic precautions of it's users seriously, why should they be trusted with anything else?

  3. Michael Ponzani

    She's supposed to be real cheap. This takes the cake! How insulting! A T-shirt! 'Coulda bought a hat. OR, maybe two hats. Give them to Marissa. One for her to take a….a….a….."dump" in and the other one to cover it up. That might not be viable since I suspect the recipient of that $12.50 largesse will have to pay out of pocket for all or part of that second hat.

  4. Michael Ponzani

    OH< NO! I WAS WRONG! Looking back at the sale prices in effect at that time as posted on the 3013 article I determined the beneficiary of this absolute windfal could have purchased 2.6 hats assuming no internet taxes. Not so fast Snavely. "Snavely" also would have to contribute 0.006 cents to get that 0.6 portion of a hat. Could someone work in another 6 so we can derive the number; if not the name of the Beast? Of course the 6/10ths hat might possibly be a "parts hat", you know, like a parts car. How many pints would $12.50 buy in 2013? Could someone forward my two posts to Marissa? I'd do it my self, except I use Yahoo! and I have my bowling shirt pulled above my head so no one sees me. Yahoo! seems to be lead by a yahoo.

  5. Michael Ponzani

    How come my quotation marks came through in the first post and not the second? Sorry about the typos, my coordination is not that great and I failed to proof read. (Watch him fall off the high wire as soon as he steps on it.)

  6. JD Johnson

    No, she doesn't care. She walked away with millions.
    Also, does anybody think she would have ever risen that high without those good looks? Looks like that will help someone move up the ladder faster.

    1. Simon · in reply to JD Johnson

      If looks could kill… well, I guess it did for Yahoo's reputation…

      Mayer's was more like a Trojan horse; supposedly adding value and improving it's strategy/relevance, but nefariously did the opposite with poor business decisions, harbouring a pretentious work culture and selfish attitudes.

      Kudos to Stamos for jumping ship and leaving Yahoo! go to the dogs.

  7. Michael Ponzani

    Good looks. Bang your way to the top Just ask Angie Dickinson. "I couldn't act so I screwed my way to the top. See the Bendix corporation' history concerning the blonde. She was good at her job, though. She rost through the ranks with her boss and eventually married him. She started out as hs secretary. Things that make you go hmmmm!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.