Hackers accessed 32 million Yahoo user accounts in the last two years using forged cookies.
Yahoo CEO Marissa Mayer writes:
As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.
Don’t feel too sorry for Mayer. As CNN reported, she has made about $162 million in the four years that she has been CEO of Yahoo, and could earn a tidy $57 million more in severance after Verizon takes over the company.
That’s despite Verizon lowering its offer for Yahoo by hundreds of millions of dollars after the scale of the search engine’s security disasters became public knowledge.
I guess it’s nice of Marissa Mayer to hand her bonus to Yahoo’s employees, but wouldn’t it be more fitting still if some of the cash went to those innocent Yahoo users whose accounts were exposed?
Because clearly something went very wrong at Yahoo.
Mayer forgoing her bonus may make many of the headlines, but the juicier story is contained in the regulatory filing that Yahoo has just made to the SEC.
It describes the findings of an independent committee, brought in to investigate how Yahoo handled the hacking attacks and related matters, including how much the company knew and when.
Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.
The SEC filing goes on to explain that Yahoo’s board decided to not just withhold Mayer’s cash bonus for 2016, and accepted her offer to forgo equity award for 2017.
Frankly, that feels like getting away with it quite lightly. They weren’t so lenient with Yahoo’s chief lawyer, Ron Bell, who they unceremoniously booted out without giving him so much as a free t-shirt.
No payments are being made to Mr. Bell in connection with his resignation.
Finally, Yahoo’s SEC filing shares another important titbit – forensic experts have now identified approximately 32 million user accounts for which forged cookies were stolen in 2015 and 2016.
Yahoo has linked some of the cookie-forging activity to “the same state-sponsored actor” it believes was responsible for stealing the account information of 500 million Yahoo users back in late 2014.
Hmmph. I remember when a security breach involving 500 million Yahoo users seemed like a big deal.
Then, in December 2016, we discovered that there had been a separate theft of “data associated with more than one billion user accounts” back in August 2013.
Companies either get security or they don’t. It’s no good just having an IT team that understands security, you also need to have an executive management who understand the importance of security too – otherwise you have little chance of protecting your business against modern threats.
I’ll leave it for you to decide for yourself whether you believe Yahoo’s CEO can be trusted to run a tight ship now.
Found this article interesting? Follow SLG on Twitter to read more of the exclusive content we post.