Yahoo! dysfunction! meant! security! warnings! were! ignored!

Investigation reveals 32 million accounts were attacked with forged cookies, costing CEO Marissa Mayer her bonus


Yahoo!'s board has decided CEO Marissa Mayer should not be paid her bonus, after investigating the 2014 hack that has so besmirched the company's reputation and finding the company knew about the gravity of the situation but failed to act properly to address the situation. Mayer has also decided to forego an award of equity due to her this year.

News of the decisions and Yahoo!'s investigation into the hacks emerged today with the publication of the company's Form 10-K, the warts-and-all documents US public companies are required to file each year to disclose just about any risk they face.

The 10-K summarises the results on and Independent Committee's investigation of the 2014 hack and the news isn't good for Yahoo! because the investigators "... concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016."

"In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool," the 10-K says, explaining that while the company "took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement" those efforts weren't sufficient.

The filing offers this observation about Yahoo!'s conduct:

...it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.

It gets worse, as the 10-K also offers the following analysis:

Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.

There's a tiny ray of sunshine in that the Independent Committee "did not conclude that there was an intentional suppression of relevant information."

But the investigators did find "... that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident."

And those risks were substantial, because the 10-K reveals that the forensic experts it hired to look into the creation of forged cookies that could allow an intruder to access users’ accounts without a password has found that "an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies."

"The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016," the 10-K filing states.

The good news is that Yahoo! has "invalidated" those cookies "so they cannot be used to access user accounts."

The bad news is that the investigation found "... failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters."

Marketers for information security companies and governance educators probably want to have those remarks framed.

The rest of us won't: Mayer's bonus is US$2m and her equity grant is usually about $12m of stock. That's peanuts compared to the US$350m Verizon has trimmed from its offer to buy Yahoo!. Mayer's lost haul is probably also well below the company's bill for lawyers to fight the "approximately 43 putative consumer class action lawsuits" the form 10-K says have been filed to date regarding the 2014 security breach.

Yahoo! doesn't think they will amount to much: the filing says "... the Company does not believe that a loss from these matters is probable and therefore has not recorded an accrual for litigation or other contingencies relating to the Security Incidents." ®

Similar topics


Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021