Yahoo Must Die: Security, Surveillance, and Corporate Responsibility

In 2015, it was revealed that foreign hackers, believed to be in the employ of a foreign government, stole the login credentials (usernames and passwords) of 500,000,000 Yahoo users. No that’s not a typo, and it’s not a mistake: 500 MILLION Yahoo users had their credentials stolen. And though it was discovered and announced last year, the breach was eventually determined to have taken place some two YEARS earlier.

That’s right: Yahoo users were potentially having everything they did observed by a foreign government for at least two years without their knowledge - or Yahoos.

This is especially shameful given that in 2012, Yahoo had a breach that involved the credentials to 450,000 (four hundred fifty thousand) users, and then in 2013 was taken nearly offline repeatedly by spammers.

Also In 2013, Edward Snowden brought information security to the forefront worldwide by leaking a cache of documents from the NSA, where he’d worked, to journalists. Included in those revelations was the fact that Yahoo was - and is - regularly targeted in state-sponsored hacking efforts, due to it being common knowledge that it was much easier to breach than most similar companies.

In spite of this series of revelations about security issues at Yahoo, CEO Marissa Mayer took a full year before following the lead of the other giants in this space, such as Google, and hiring a Chief Information Security (InfoSec) Officer. Even as Google and Microsoft were offering “bug bounties” - monetary rewards for programmers who could demonstrate reproducible issues with their products - Yahoo was still slow to implement the changes being recommended within all of the major players related to security. In fact, even after hiring a well-regarded security expert, Alex Stamos, as the new infosec officer, Yahoo department heads continued to resist or ignore the urgings of their internal security team, dubbed “the Paranoids”.

Numerous sources from within Yahoo have spoken to media outlets regarding the security issues (references used for this post will be listed at the end) and the internal responses to them. It was apparently a fairly normal turn of events for something to happen, for Stamos and his team of “Paranoids” to recommend a response, and for that recommendation to be ignored, de-prioritized, or determined to be too expensive and inconvenient to implement.

Which brings us to the reason you should care about all of this.

It was revealed last week that, at the request of the NSA or FBI (it’s not clear which), back in 2015 Yahoo created software which would filter ALL communications coming to or going from their users for particular search terms. That’s right, Yahoo made the software to spy on their users themselves.

This scanning took place before the messages were ever even seen by the users; in fact, before they were even delivered to any application that users can interact with. Even worse, this was done by the group within Yahoo that handles email and messaging, and the security team was not even informed it was happening. No one outside that messaging team was informed of this application, and when the security team (predictably) discovered it only a few weeks after it went live, they believed it to be another external breach of the sort Yahoo has been notorious for. After determining what it really was, Stamos went to CEO Marissa Mayer about it - only to find out that the decision to do it, and to do it this way, was made by her. The security staff were left out of the process entirely, intentionally.

Upon learning that he and his security staff had been deliberately excluded from this, Stamos resigned from his position at Yahoo in protest. He’s now at Facebook as their Chief Security Architect.

The ultimate irony of this is that the most frequently repeated recommendation made by Alex Stamos when he was the CISO at Yahoo was end-to-end encryption. Even before his employment at Yahoo, Stamos consistently recommended the use of end-to-end encryption, in which communications are encoded with a key that is shared only between the the devices (users) that are doing the communicating. This makes it functionally impossible for anyone, even the people providing the communications platform (in this case, Yahoo) to read them or know anything at all about their contents. Literally all that’s possible to see is the source and destination.

When Stamos recommended this at Yahoo, the response from the senior executive in charge of their email and messaging systems, was “I’m not particularly thrilled with building an apartment building which has the biggest bars on every window.” The primary reasoning for not implementing this kind of security measure - even though Stamos was collaborating on software to allow it the entire time of his employment at Yahoo with engineers from Google, Facebook, Microsoft, and Dropbox - was that encrypting the user data in this way would make it so that Yahoo themselves couldn’t see the contents, and that would make it harder to figure out what services to market to users, or what ads they were most likely to respond to.

In other words, this was a decision about communication security that was made not based on the best security practices for Yahoos’ users, as determined by the experts on that subject, but based on what was going to cost less and allow better targeting of consumers for advertisements and other Yahoo services.

Some of the details of this story, as described on the following reference links, actually make clear just how bad the security culture really is at Yahoo.

The bottom line: if you still use Yahoo services, any of them, you should stop, and immediately.

Below is a link to another tech writer who explains, with screenshots, how to delete your Yahoo account and remove your data from their network. I urge you to do so, and to discontinue your use of all their services. The only voice you as a consumer have about such failures in companies that provide you services is to vote with your dollars. And if companies screw up this badly, this often, to vote with your feet. Head for the door, and don’t look back. If Yahoo takes your privacy this lightly, they deserve to have the market punish them for it. Let’s make an example of them so that no other tech company thinks they can get away with this sort of nonsense again.

Resources:

How to delete your account:
http://www.ghacks.net/2016/10/07/how-to-delete-your-yahoo-account/