Yahoo Execs ‘Ignored’ Security Team Over 2014 Breach

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Yahoo’s board has blamed unnamed senior executives and its legal team for failing to properly investigate a 2014 security incident which saw 500 million user accounts stolen by state-sponsored attackers.

In a lengthy SEC filing, the board claimed that in late 2014 the firm’s security team notified of targeted attacks against 26 users, who were subsequently informed, and law enforcement consulted.

It continued:

“While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”
Subsequent cookie forging activity by the same state actor in 2015 and 2016 was also not investigated. That activity is now said to have exposed the accounts of 32 million users.

The revelations would seem to indicate a massive disconnect between IT security and the business at Yahoo – perhaps one of the reasons why former CISO Alex Stamos left for Facebook in 2015.

It should be a cautionary tale for businesses everywhere, as the fallout continues.

General counsel and secretary, Ronald Bell, will leave the company as a result of the investigation with no severance pay, and CEO Marissa Meyer will not receive a cash bonus for 2016.

She has also agreed not to receive her 2017 annual equity award – which is said to be more than $10m.

The firm revealed it has already recorded $16m in losses related to the 2013 and 2014 breaches – “of which $5 million was associated with the ongoing forensic investigation and remediation activities and $11 million was associated with nonrecurring legal costs.”

Also, it is expecting to incur further “investigation, remediation, legal, and other expenses” going forward.

A large portion of this could come from the 43 consumer class action lawsuits which have since been instigated against the firm, with possibly more to come.

However, frustratingly, there was no more information on the 2013 breach of one billion user accounts, with the filing only saying the following:

“We have not been able to identify the intrusion associated with this theft, and we believe this incident is likely distinct from the 2014 Security Incident.”

The internet pioneer last week agreed a $350m cut in its asking price with Verizon, which will look to wrap up its M&A deal soon.

Yahoo: 32 Million Accounts Accessed via Cookie Forging Attack
 
Last edited:
D

Deleted member 178

That is always the same in any corporations, ITs/Admins/devs find weaknesses, ask the executives to give credits to fix the issues, the unskilled ignorant executives refuse because they don't want spend a dollar on it ...it happens even in security softwares companies...
 

larry goes to church

Level 3
Verified
Mar 10, 2017
103
"She has also agreed not to receive her 2017 annual equity award – which is said to be more than $10m."

Multiple hacks in the past years and still MILLIONS expected in bonuses.
Dumping that cash into their security budget would probably be a better move ahaha
 
  • Like
Reactions: LASER_oneXM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top