Yahoo - hackers and spying

Yahoo is in free fall. It is negotiating a sale of its Internet business to Verizon but that sale is in jeopardy, likely at least to be renegotiated to lower the price by one or two billion dollars and perhaps on the verge of collapse into acrimony and lawsuits. In that case, Yahoo is effectively dead – oh, it will continue to exist in some diminished form but its decline will be quick and ugly.

Although Yahoo’s slide into irrelevance has a long history, the company is currently being shaken by new questions about its failure to address basic user security issues. There has been recent news of huge hacks that exposed over 500 million people’s personal information – email addresses, passwords, and more – plus revelations that Yahoo allowed the NSA to rummage through every Yahoo’s user’s email last year.

If you have a Yahoo account, you should remove all personal data from it. If you have a Yahoo or AT&T/SBC Global email address, you should stop using it, empty out the contents of the mailbox, and take precautions against security attacks.

It’s that bad.

Here’s a very brief description of how Yahoo got to this position and what you need to know about the hacks and the government spying. Then I’ll give you a few specifics about what to do if you have a Yahoo account.


Yahoo history in a nutshell

Yahoo was born in 1994 as a much-loved directory of websites, curated by real people. It is symbolic that Yahoo’s original business was poorly chosen: human curators could not keep up with the explosive growth of the web and Yahoo’s Internet directory was never going to be sustainable. Shortly afterward, Google was born as an index of websites maintained by powerful computers, a forward-looking business that almost immediately removed any reason for Yahoo’s original business to exist.

Nonetheless, Yahoo grew rapidly by acquiring companies and creating services that would keep users on Yahoo sites longer, where Yahoo could earn advertising revenue. One of its most successful creations was Yahoo Mail, the mail service used by almost 300 million people. In addition to email addresses, Yahoo Mail has handled all mail for AT&T companies for almost fifteen years. If you have an or email address, it is run by Yahoo Mail.

The dotcom boom in the 90s was kind to Yahoo and helped conceal that there was no particular unifying theme to the Yahoo businesses. It has been impossible to define Yahoo’s business or its mission almost since the beginning. Apple is a hardware company, Microsoft is a software company, Google is an advertising company, and Yahoo is . . . nothing in particular.

In 2005 Yahoo purchased a 15% stake in Alibaba, then a relatively small Chinese company. Alibaba grew into one of the largest and most profitable Chinese e-commerce companies and Yahoo’s investment became so valuable that it represents almost the entire value of Yahoo today. Other than the Alibaba investment, the value of Yahoo’s business has been in perpetual decline ever since the end of the dotcom boom.

Yahoo rejected an acquisition bid from Microsoft in 2008. Every year Microsoft executives get together and drink toasts to their incredible luck at dodging that bullet. It is fair to assume that the Yahoo executives who rejected that bid are now in deep therapy and take prescription drugs for depression.

In 2012 it was no longer possible to ignore that Yahoo had no definable business plan other than to continue its fade into irrelevance. Marissa Mayer made a highly-publicized move from Google to become Yahoo’s CEO and made valiant efforts to turn things around. Under Mayer, Yahoo revamped Flickr for photo storage and sharing; purchased Tumblr to try to get a foothold in social networking; hired celebrities Katie Couric for news and David Pogue for tech journalism; invested in TV programming and other media properties; and got teams focusing on mobile apps.

None of it made any difference. Yahoo’s identity crisis continued. The Yahoo brand is devalued, the company is perceived as failing, and its businesses are close to valueless.

This year Mayer and the Yahoo board agreed to take the only step that made sense: find a buyer for the Internet business, allowing the Alibaba investment to be held in a separate company that would not be dragged down by the failing brand. In July Verizon stepped up and agreed to pay $4.8 billion for Yahoo’s Internet business.

Then Yahoo had a very, very bad month.


Yahoo security problems – the largest corporate security hack in history, plus government spying

Yahoo - hack, surveillance

In late September Yahoo revealed that over 500 million user names, email addresses and passwords had been stolen almost two years earlier. Although Yahoo originally claimed the hack was done by a foreign government, later evidence emerged showing that it was just a bunch of criminals.

The first conclusion is damning enough: Yahoo’s security was so lax that it did not discover the biggest corporate security breach in history for two years.

But there’s more.

In July, a hacker named Peace bragged online that details of 200 million Yahoo users had been accessed. That particular claim could not be verified but when Yahoo started an investigation, it discovered evidence of the larger, allegedly “state sponsored” hack. Financial Times reported that Yahoo and specifically Mayer had knowledge of the larger hack in July. A “person briefed on Yahoo’s discussions” is quoted in the Financial Times article: “Marissa was aware absolutely — she was aware and involved when Peace surfaced this allegation in July. [She] was part of the investigation and conversation from the very beginning and along with the team every step of the evidentiary gathering and analysis process. In fact, the key executive team has been engaged from the very beginning.”

That’s bad news for everyone, because nobody told Verizon until after the deal was signed. That smells like intentional concealment of material facts in the hope of keeping the deal alive until the money has changed hands and the Yahoo executives can run for the exits. (Mayer gets a $50 million dollar payout if the deal closes.)

Yahoo filed a regulatory statement with the SEC in early September in which it said it had no knowledge of any “security breaches, unauthorised access or unauthorised use” of its IT systems.

Yahoo has stayed completely quiet in the last two weeks about the timeline for its discovery of the hack, which has obvious significance for the Verizon deal, the SEC filing, and whether people should go to jail. It reported earnings on Tuesday of this week but did not have the usual conference call where Mayer and others would answer questions.

Verizon will at least try to renegotiate the deal and save a billion dollars or two. Potentially it could decide to back out of the deal under a contract provision that allows it to withdraw if the hack has a material impact on the deal. Which, of course, it does. If the Verizon deal collapses, that is effectively a death blow for Yahoo – the Verizon deal is a lowball, face-saving way out of Yahoo’s predicament and losing it would leave Yahoo broken. Who would make an offer to buy Yahoo now?

That wasn’t the end of the bad news for Yahoo.

Two weeks after the hack was made public, government officials and former Yahoo employees disclosed that Yahoo had complied with a government order in 2015 to scan all of its email traffic for the NSA or FBI.

The details are damning.

Mayer and the Yahoo general counsel had the email engineers build a custom program to go through the mail in real time, far more aggressive and wide-ranging than any previously reported government mail snooping.

The Yahoo engineers then concealed it in the Yahoo system to try to hide it from the Yahoo security team. When the security team found it a few weeks later, they thought hackers had broken in and had to be reassured that the company had hacked its own email system. This caused such bad feelings that Yahoo Chief Information Officer Alex Stamos resigned in July 2015.

Yahoo didn’t say anything about the government spying until it was forced to by the disclosures two weeks ago. On the one hand, Yahoo was prohibited from commenting on the secret government order; on the other hand, it is clear that Yahoo did not fight the order. Google, Microsoft, Facebook and Twitter vehemently deny that they received any similar order and claim they would fight it vigorously if they did.

Yahoo is hurt by the unfairness of it all. Yesterday Yahoo wrote a letter to the Director of National Intelligence asking permission to respond to “misleading” press reports.


What the Yahoo security problems mean for you

Yahoo’s email security has always been questionable. It’s not a coincidence how many spam and malware messages have arrived in your mailbox over the years that appear to be from @yahoo and @sbcglobal email addresses. The ones I’m thinking of appear to be from people you know, which would only be possible if that person’s Yahoo address book was hacked. I’ve counseled many people whose Yahoo mail accounts were hacked with no evidence of how it happened. I don’t think it was always the user’s fault.

Now the recent stories have shown a shocking lack of focus by Yahoo on basic security principles. It’s bad enough to be the victim of the largest corporate hack in history, but it’s worse not to discover it for two years. Some of the security details about the hack are depressing – security questions stored without encryption, for example.

And the reaction to the government’s spying order is evidence that Yahoo has no stomach for protecting your privacy. We know that Apple is willing to work vigorously to protect its users. Google, Microsoft, Facebook – all have taken strong public positions and there is evidence that they have worked just as hard behind the scenes to keep the government out of your data. Yahoo rolled over. They were sufficiently ashamed about it that the board didn’t tell the company’s own security team.

If you have a Yahoo email account, it might be tied to other accounts – the email address used to log into banks or Amazon or other shopping sites, for example. If an attacker can take over your mail, he can reset those passwords and take over those accounts.

Example of how that can be done: I investigated for a client whose mailbox had not received any new mail for several days. Eventually I found out that a bad guy had set up a forwarding address deep in the Yahoo mail settings. All mail was being forwarded to the bad guy, with no copy left in the original mailbox. There was no way to learn what had gone through the mailbox during those few days – password reset notices, receipts, warnings from the bank, anything might have happened. It was scary and difficult to unravel.

Here are some tips from CNN Money about what to do if your Yahoo account was hacked. I’ll add a few of my own. Every Yahoo mail user should do these things at a minimum.

  •  Change your password now and frequently going forward.

  •  Never use the same password twice.

  •  Update the answers to Yahoo security questions. I would strongly suggest using answers that do NOT match the questions.

  •  Log into every website where you might have used the same password or security questions and change those credentials.

  •  It is time to stop using Yahoo mail. Give up your or or email address.

  •  Update every service connected to that old  Yahoo address with your new replacement email address.

  •  If you have any private information in your Yahoo mailbox, consider emptying the mailbox – literally just erasing everything in it before it’s stolen by hackers.

  •  And finally, close your Yahoo account. But don’t do that unless you are positive that no other account is linked to the Yahoo email address. It turns out that if you close the account, Yahoo might re-issue the same address to someone else – another security and privacy issue that Yahoo does not handle well.

No one is happy about any of this. Yahoo was a darling of the early tech community and has tremendous good will. Many people, myself included, badly wanted Marissa Mayer to succeed because of what it would mean for a company that we felt nostalgic about, what it would mean for female executives and the boost it would provide for women in the tech world, and because it would make such a wonderful spectacle, like watching a baseball team come back from a deficit and win the World Series. Alas, it’s not to be. This is turning into a story of failure and bad decisions and poor security. There are no winners in sight.

Share This