Yahoo reportedly downplayed security for years
It was worried that tougher safeguards would scare users away.
That massive Yahoo hack might have been less of a one-off disaster and more a symptom of larger, systemic problems with security at the internet pioneer. New York Times sources claim that Yahoo made security a relatively low priority for years, prioritizing convenience when possible and reacting only after serious incidents (such as bug bounties following an account breach in 2012). Reportedly, the company even skipped out on safeguards that are considered virtually mandatory in many places -- CEO Marissa Mayer rejected a password reset out of concern that it would drive users away from Yahoo Mail.
The company took a big step by hiring chief information security officer Alex Stamos, who implemented valuable measures like widespread encryption, collaboration on threat data and "red teams" that broke into Yahoo systems to see how vulnerable they were. However, Mayer supposedly fought with Stamos' group, depriving it of resources and stalling the implementation of vital features like intrusion detection. Many of its security staffers have left for Silicon Valley mainstays like Apple, Facebook and Google, according to insiders.
A spokeswoman suggests to the Times that things are on the mend. It spent $10 million on encryption in 2014, and that its security investments jumped 60 percent between 2015 and 2016. Yahoo has a "deep understanding" of online threats, the representative says, and it tries to "stay ahead" of those dangers to keep you safe.
If the report is accurate, though, it hints that the increased spending might be necessary for catching up. It'd be an acknowledgment that the company's previous focus on ease of use over security was too risky, and that whatever inconveniences you suffer from added security are far, far more preferable to losing sensitive info to hackers. And lax security doesn't just scare away some customers -- it could even jeopardize that lucrative Verizon deal.
