Alex Stamos, then Yahoo’s chief information security officer, at a Senate hearing in 2014. The hiring of Mr. Stamos that year was hailed as a sign that Yahoo was prioritizing its users’ privacy and security. Mr. Stamos left Yahoo for Facebook last year. Credit Win Mcnamee/Getty Images
SAN FRANCISCO ― Six years ago,Yahoo’s computer systems and customer email accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.
The Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone ― be they spies or criminals ― to hack into Google customers’ accounts.
Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to half a dozen current and former company employees who participated in security discussions but agreed to describe them only on the condition of anonymity.
WhenMarissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.
The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.
Advertisement
But Yahoo’s choices had consequences, resulting in a series of embarrassing security failures over the last four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company’s network , and the episode is now under investigation by both Yahoo and the Federal Bureau of Investigation.
Certainly, many big companies have struggled with cyberattacks in recent years. But Yahoo’s security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.
