Yahoo last week confirmed what many already feared, that unknown hackers have been able to steal account data belonging to hundreds of millions of users. The massive data breach occurred at some point in 2014, affecting some 500 million users. Yahoo is yet to explain why the data breach happened, and whether it could have done anything to ensure the security of its users.
A new report reveals that Yahoo has been putting off security investments for years, for fear that security features would also hinder overall Yahoo experience.
According to The New York Times, Yahoo CEO Marissa Mayer is ultimately responsible for Yahoo’s inability to safeguard the data of its customers. When Mayer took the reigns for Yahoo in mid-2012, security was not one of her priorities. Consumer-facing aspects of Yahoo services needed to be improved, so the exec constantly rejected implementing additional security feature to prevent other hacks.
The 2014 Yahoo hack, while it may be the biggest breach in history, isn’t the only cyber attack Yahoo failed to repel, Six years ago, Chinese military hackers breached Yahoo’s computer systems and customer email accounts, with Google and other companies also being hit. While others increased their defenses, Yahoo failed to do so.
“The ‘Paranoids,’ the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs,” the Times writes. “And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.”
In time, some of the Paranoids ended up taking security job at other tech companies, including Apple, Facebook, and Google.
According to the report, Mayer also rejected “the most basic security measure of all: an automatic reset of all user passwords,” a crucial security step that experts consider standard after a breach. The move was rejected for fear that even something as simple as an automatic password change would drive email users away.
After the 500 million accounts hack was confirmed, Yahoo concluded that the risk of misuse was low, as passwords were encrypted, so it notified users and encouraged them to reset their passwords themselves, the Times reports.