Share

Did Yahoo do enough to prevent its hack?

Yahoo confirms massive data breach

Yahoo’s massive security breach may rattle longtime users, but it’s less of a surprise to those who have followed the company closely.

Yahoo (YHOO, Tech30) has been the target of multiple serious hacks in recent years and has shuffled through four chief information security officers between 2013-2015. The latest breach is said to have taken place in late 2014, compromising 500 million user accounts.

Under CEO Marissa Mayer, Yahoo resisted calls for greater funding and efforts to bolster security, according to a former member of Yahoo’s security team who left before the breach is said to have taken place.

“Security was pushed to the back end,” the former employee says. The reaction from higher-ups was “we just had other priorities.”

Top security execs at Yahoo also felt boxed out of the company’s decision-making process under Mayer, according to the former employee.

A former Yahoo executive who worked under Mayer around the time of the breach adds that the leadership team was intensely focused on trying to build “the fastest growing startup.”

“We are committed to keeping our users secure, both by continuously striving to stay ahead of ever-evolving online threats and keeping our users and our platforms safe,” a Yahoo spokesperson said in a statement.

On Thursday, Yahoo revealed that data “associated with at least 500 million user accounts” were stolen. The company said it currently believes a “state-sponsored actor” was behind the breach and is working with law enforcement to learn more.

Related: Verizon only learned about Yahoo’s massive data breach 2 days ago

The breach is by far the largest in Yahoo’s history and likely the largest to hit any individual company, but it wasn’t the first time Yahoo had been hit by hackers.

In 2012, hackers posted login information online for more than 450,000 Yahoo users, prompting at least one lawsuit and criticism that Yahoo didn’t even encrypt the passwords it stored.

In early 2014, Yahoo said it identified a coordinated effort by hackers who tried to log into many email accounts with stolen user names and passwords.

Yahoo first received word in July 2016 about a hacker claiming to have information from 280 million users that were for sale on the black market, according to a source familiar with the matter.

Yahoo conducted an internal investigation and found nothing to support that staggering claim, according to the source. But then Yahoo’s security team decided to conduct a “broader, deep dive review,” the source says, and found evidence of the security breach impacting 500 million accounts.

Much of the coverage has focused on the massive scale of the data breach. Yet, there is also criticism around the fact users are only learning of this now — two years after the original breach and nearly two months after the first media reports surfaced about a possible hack.

“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” Senator Richard Blumenthal (D-CT) said in a statement.

Even Verizon (VZ, Tech30), which agreed to acquire Yahoo in July, says it only learned of the breach this week.

Security experts say it’s not uncommon for there to be a significant delay between a breach and its disclosure.

“The thing that often happens is that companies find out about this well after the hack,” says Tom Patterson, VP of global security at Unisys. “And it’s certainly possible that it didn’t come to their attention until the information was being sold a year later.”