A former Yahoo executive says CEO Marissa Mayer kept secrets from key members of the security team, raising more questions about business practices at the troubled internet company.
Yahoo’s approach to the security of its hundreds of millions of users has come under the spotlight amid revelations of a massive hack that went unreported for years and the company’s undisclosed collaboration with the nation’s top spy agency.
According to the former Yahoo executive that Business Insider spoke to, Yahoo’s culture of secrecy and its prioritization of other business goals led to troubling security practices that made it much more difficult for Yahoo to defend from hackers.
Yahoo’s security team was often denied funding and sometimes kept in the dark at Mayer’s direction, as she feared more emphasis on security could potentially spur a decline in the company’s user base.
“In the Mayer world, it became highly secretive,” to the point where the head of security wasn’t always “even part of the discussion,” the executive told Business Insider.
One such example was highlighted Tuesday, with some former Yahoo employees telling Reuters that Alex Stamos, the chief information security officer in 2015, was left completely out of a decision by Mayer to scan user emails for the government. Stamos and the security team only learned of the program after testing Yahoo’s systems for vulnerabilities and discovering software they thought had been inserted by hackers.
Instead, it was Yahoo’s own software engineers who had secretly installed the email scanning software. Stamos, who had been on the job for just one year, resigned in protest.
Not the first time
But according to the exec who spoke to Business Insider, the Stamos incident was typical of how security was handled at Yahoo.
The source recounted an incident about a year earlier in which a member of the security team revealed that they had been directed by the company’s legal department to look into a hacking incident, but were specifically ordered not to tell CISO Justin Somaini about it.
Top executives are sometimes kept out of investigations if there’s suspicion that they might be involved in the incident in some way. But in this case, according to the source, the reason for keeping the CISO out of the loop was because Mayer didn’t want the hacking incident being used as a justification to increase the security budget.
“It got very toxic with the Marissa years around a lot of subjects, security being just one of them,” the source added.
The “Paranoids” – as Yahoo’s security team is called – often went head-to-head with Mayer and lost, a number of security employees recently told The New York Times. This mostly came down to funding, as requests for things like intrusion detection software or security infrastructure would be rejected as too cumbersome for users, or too costly an expense that might take away from other projects.
Security issues were often “pushed down, dismissed, or out-and-out ignored,” the executive said. That may be why a number of Yahoo security engineers have left for other Silicon Valley companies, while the company has had trouble retaining executives to lead its security efforts.
Yahoo’s first CISO, Somaini, joined the company in 2011 and stayed until January 2013, leaving in part because he was “unhappy with the new regime” of Mayer, according to a report from All Things Digital. After his departure, the company didn’t have a full-time CISO until March 2014, when Alex Stamos was hired.
Stamos left for Facebook a little over a year later. His interim replacement, Ramses Martinez, moved to Apple only about a month after being put in the role. Yahoo’s current CISO, Bob Lord, has been on the job for 11 months.
In an emailed response, Yahoo said that it is “a law abiding company, and complies with the laws of the United States.”
Are you a current or former Yahoo security employee? Reach out: firstname.lastname@example.org (PGP: 0CA0 6424 E782 71BC 1057 EA87 94EF FBA8 8948 80).