Six years ago, Yahoo’s computer systems and customer e-mail accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.
Google cofounder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of US dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts.
Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to a half-dozen current and former company employees who participated in security discussions, but agreed to describe them only on the condition of anonymity.
When Marissa Mayer took over as chief executive officer of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.
The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs, and their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.
However, Yahoo’s choices had consequences, resulting in a series of embarrassing security failures over the past four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years.
It was the biggest known intrusion into one company’s network, and the episode is now under investigation by both Yahoo and the FBI.
Certainly, many big companies have struggled with cyberattacks in recent years. However, Yahoo’s security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.
To make computer systems more secure, a company often has to make its products slower and more difficult to use. It was a trade-off Yahoo’s leadership was often unwilling to make.
In defense of Yahoo’s security, a company spokeswoman, Suzanne Philion, said that the company spent US$10 million on encryption technology in early 2014, and that its investment in security initiatives would increase by 60 percent from last year to this year.
“At Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure,” she said.
The breach disclosed last week is the latest black eye for Mayer, whose failed turnaround effort resulted in Yahoo’s agreement in July to sell its core operations to Verizon for US$4.8 billion. It is unclear whether the episode will affect the sale. Although Yahoo’s e-mail users are its most loyal and frequent customers, the company has been losing market share in e-mail for years.
“Yahoo is already suffering. I don’t think they’ll suffer more because of this,” said Avivah Litan, a security analyst with the research firm Gartner.
Mayer arrived at Yahoo about two years after the company was hit by the Chinese military hackers. While Google’s response was public, Yahoo never publicly admitted that it had also been attacked.
A former Google executive credited with creating the search company’s simple, colorful aesthetic, Mayer turned her attention at Yahoo to beating Google at search, creating new mobile apps and turning Yahoo into a video powerhouse with TV-style broadcasts featuring big-name talent like American journalist Katie Couric.
However, in matters of security, Mayer, current and former employees said, was far more reactive.
In 2010, Google announced it would start paying hackers “bug bounties” if they turned over security holes and problems in its systems. Yahoo did not do the same until three years later, after it lost countless security engineers to competitors and experienced a breach of more than 450,000 Yahoo accounts in 2012 and a series of humiliating spam attacks in 2013.
Yahoo said it had paid out US$1.8 million to bug hunters.
In 2013, disclosures by former US National Security Agency contractor Edward Snowden showed that Yahoo was a frequent target for nation-state spies, yet, it took a full year after Snowden’s initial disclosures for Yahoo to hire a new chief information security officer, Alex Stamos.
Jeff Bonforte, the Yahoo senior vice president who oversees its e-mail and messaging services, said in an interview in December last year that Stamos and his team had pressed for Yahoo to adopt end-to-end encryption for everything. Such encryption would mean that only the parties in a conversation could see what was being said, with even Yahoo unable to read it.
Bonforte said he resisted the idea, because it would have hurt Yahoo’s ability to search message data to provide new services.
“I’m not particularly thrilled with building an apartment building which has the biggest bars on every window,” he said.
The 2014 hiring of Stamos — who had a reputation for pushing for privacy and anti-surveillance measures — was widely hailed by the security community as a sign that Yahoo was prioritizing its users’ privacy and security.
The current and former employees said he inspired a small team of young engineers to develop more secure code, improve the company’s defenses — including encrypting traffic between Yahoo’s data centers — hunt down criminal activity and successfully collaborate with other companies in sharing threat data.
He also dispatched “red teams” of employees to break into Yahoo’s systems and report back what they found. At competitors like Apple and Google, the Yahoo Paranoids developed a reputation for their passion and contributions to collaborative security projects, like Threat Exchange, a platform created by Yahoo, Dropbox, Facebook, Pinterest and others to share information on cyberthreats.
However, when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Mayer repeatedly clashed with Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion detection mechanisms for Yahoo’s production systems.
Over the past few years, employees said, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.
Stamos, who departed Yahoo for Facebook last year, declined to comment. However, during his tenure, Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach.
Employees said the move was rejected by Mayer’s team over fears that even something as simple as a password change would drive Yahoo’s shrinking e-mail users to other services.
“Yahoo’s policy is that if we believe a user’s password has been compromised, we lock the account until the user resets the password,” Philion said.
Of the 500 million accounts involved in the breach disclosed last week, the stolen passwords were encrypted. Yahoo concluded the risk of misuse was low, so it encouraged people to reset their passwords themselves.
On Tuesday, six US Democratic senators, led by Patrick Leahy, sent a letter to Mayer demanding more details about the 2014 breach and what Yahoo was doing to prevent a recurrence.
Another senator, Mark Warner, has asked the US Securities and Exchange Commission to investigate Yahoo’s disclosures to investors regarding the incident.
And the company is already the subject of several class-action lawsuits from users over the intrusion.
The US Senate’s passage of the 2026 National Defense Authorization Act (NDAA), which urges Taiwan’s inclusion in the Rim of the Pacific (RIMPAC) exercise and allocates US$1 billion in military aid, marks yet another milestone in Washington’s growing support for Taipei. On paper, it reflects the steadiness of US commitment, but beneath this show of solidarity lies contradiction. While the US Congress builds a stable, bipartisan architecture of deterrence, US President Donald Trump repeatedly undercuts it through erratic decisions and transactional diplomacy. This dissonance not only weakens the US’ credibility abroad — it also fractures public trust within Taiwan. For decades,
In 1976, the Gang of Four was ousted. The Gang of Four was a leftist political group comprising Chinese Communist Party (CCP) members: Jiang Qing (江青), its leading figure and Mao Zedong’s (毛澤東) last wife; Zhang Chunqiao (張春橋); Yao Wenyuan (姚文元); and Wang Hongwen (王洪文). The four wielded supreme power during the Cultural Revolution (1966-1976), but when Mao died, they were overthrown and charged with crimes against China in what was in essence a political coup of the right against the left. The same type of thing might be happening again as the CCP has expelled nine top generals. Rather than a
Former Chinese Nationalist Party (KMT) lawmaker Cheng Li-wun (鄭麗文) on Saturday won the party’s chairperson election with 65,122 votes, or 50.15 percent of the votes, becoming the second woman in the seat and the first to have switched allegiance from the Democratic Progressive Party (DPP) to the KMT. Cheng, running for the top KMT position for the first time, had been termed a “dark horse,” while the biggest contender was former Taipei mayor Hau Lung-bin (郝龍斌), considered by many to represent the party’s establishment elite. Hau also has substantial experience in government and in the KMT. Cheng joined the Wild Lily Student
Taipei stands as one of the safest capital cities the world. Taiwan has exceptionally low crime rates — lower than many European nations — and is one of Asia’s leading democracies, respected for its rule of law and commitment to human rights. It is among the few Asian countries to have given legal effect to the International Covenant on Civil and Political Rights and the International Covenant of Social Economic and Cultural Rights. Yet Taiwan continues to uphold the death penalty. This year, the government has taken a number of regressive steps: Executions have resumed, proposals for harsher prison sentences
RSS