Yahoo's Ugly Death, Part 1

When Marissa Mayer joined Yahoo as CEO, the company's stock rose 2% the day of the announcement. But the new CEO was basically initiated into her job by a major data breath - and the worst was yet to come.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Yahoo’s Ugly Death, Part 1

If I were to ask you ‘what makes an organization good at cybersecurity?,’ what would you say?

The most obvious answer is: people. If you get talented security people in a room together, you have a pretty good shot at success.

There’s also all that stuff you put around those people: money, for example, and the fancy tools and gadgets we all like to play with. That stuff isn’t worth much on its own, but in the right hands, it can be a great boost to any cybersec operation.

But there’s another factor, too: management. IT security reports to executives, who have the power to grant or deny funding. Team leaders who don’t set their foot soldiers in the right direction, and inspire good work in them, tend to leave security vulnerabilities in their wake. You could argue that these business people–even if they never touch a keyboard–are nearly as important to an enterprise security operation as the actual cybersecurity professionals.

It’s why, on November 8th, 2017, when the Senate Commerce Committee organized a hearing on corporate data breaches, they brought in a panel of CEOs. Like Richard Smith.

Even before being called to testify, Richard was having a bad 2017. His company, Equifax, had experienced arguably the most severe breach of personal data in history. When the public found out, he was fired. Then he was ping-ponged through Washington D.C., sitting before tribunals of Senators and Congresspeople who used him as a punching bag. No more was this the case than when Elizabeth Warren, on the Senate Banking Committee, systematically broke down how Equifax was actually profiting off its hack, by selling fraud protection to the very customers whose data it exposed in the first place.

Suffice it to say, this wasn’t a good time to be Richard Smith. When his turn came to speak to the panel of Senators, he politely emphasized the point. Quote: “I have submitted my written testimony to this committee, as well as to a number of other committees in both the Senate and the House. I’ve testified before, over the past three or four weeks.”

There’s no point in parading Richard Smith around Washington unless you believe, implicitly, that executives are as responsible for security failures at their companies as they are for successes in other areas. When new product lines succeed we praise CEOs, and when systems are breached we blame them.

And that’s the theme of the story you’re going to hear today. Cybersecurity from the top down. How business decisions determine security preparedness.

On that November 8th, the Senate Commerce Committee lined up a panel of executives to determine how their business decisions lead to large-scale corporate breaches. Like Richard Smith, each person on the panel was the face of one of the worst data breaches known to America.

But this episode isn’t about Richard Smith. This episode is about the person sitting to his left.

YAHOO’S FALL FROM GRACE

Yahoo. The name is synonymous with a time when all our lives were simpler–when a face book was an actual book full of student’s faces, computers made weird sounds when they connected to the Internet, and downloading a 1-minute long video could take all night.

At its height, Yahoo was one of the four or five most popular websites in the world, with billions of views every month, and a valuation well over 100 billion dollars. But as the 2000s turned into the 2010s, the web changed massively, and Yahoo was faced with the difficult task of changing with it.

Their web portal service model was going out of fashion. We all moved to GMail, and Google search became the front page of the internet, despite the fact that Ask Jeeves was obviously way better. Many of Yahoo’s services remained relatively popular, but they were no longer trendsetting, no longer growing, and the company’s market capitalization dropped to a fraction of what it once was. Any remnant of the mindshare, or what we might refer to as the “cultural capital,” they once held, fell off.

So to those of us on the outside, Yahoo’s fall seemed utterly quiet, gradual and, most of all, inevitable. But was it, really, any of those things?

COULD YAHOO BE SAVED?

Forget what you think you know, at least for a moment, and consider this: from the peak of the Dot Com bubble–some say, the beginning of the end for Yahoo–to 2008, their revenue increased tenfold. That success was no fluke, either. As print publishers struggled with the incoming revolution of online advertising, Yahoo was very much on top of it. They were positioned well enough that, when Microsoft attempted to buy the company for 45 billion dollars in 2008, co-founder and CEO Jerry Yang swiftly rejected the offer.

It was over the following few years that things would start to turn bad. The company transitioned through five different CEOs in just four years and, in the meantime, Google took over the internet.

This would seem like the end of the story, except in 2012, Yahoo made arguably the most significant hire in its history. A new CEO who could finally get things going again.

MARISSA MAYER/YAHOO’S REVIVAL

Marissa Mayer was destined for such a role from the beginning.

Some college students have a hard time in the job market, but after completing her degree at Stanford, Marissa was offered 14 different jobs, including a teaching gig at Carnegie Mellon, one of America’s leading engineering schools, and a consulting role at McKinsey, arguably the world’s premier consulting firm. The young Marissa turned down both those offers to become the 20th employee at a fledgling startup called “Google.”

At Google, she was a star. In fact, there’s a 100-percent chance you’ve run into her work. She oversaw the design of Google’s homepage–you know, the one you use probably ten times a day. She was also one of the three people behind Google AdWords. It’s difficult to overstate the importance of AdWords–to the internet as a whole, and to the company itself. To give you some sense of it, though: at one point, AdWords provided 96% of Google’s entire revenue.

In fact, you could argue that AdWords–and by proxy, Marissa Mayer–was at least partly responsible for the fall of Yahoo. Yahoo’s revenue multiplied tenfold between 2000 and 2008 in no small part because of their online advertising, but it declined even faster when Google–their smaller competitor–designed a better way to connect advertisers with users based on search results. AdWords.

So, by the principle that if you can’t beat ‘em, you should join ‘em, Yahoo in 2012 hired Marissa Mayer. It was a bold and popular choice. The company’s stock rose two percent the day of the announcement. Mayer instantly became an icon for women in an industry dominated by men.

Then she got to work changing the company culture. She opened an online portal for employee complaints–a system whereby any office problem given sufficient votes by employees would be automatically investigated by management. She oversaw a personnel shift, which brought remote employees back into the company offices. Fortune magazine put her in their 40 under 40 list, and ranked her as the 16th most powerful businesswoman on the planet.

In short: things were finally looking up for Yahoo. At least from the outside.

On the inside, however–the really, really inside–a very different story was about to be written.

SMITH VS MAYER

On November 8th, 2017, before the Senate Commerce Committee, Marissa Mayer sat just to the left of the now-former CEO of Equifax, Richard Smith.

The two are hardly alike in appearance. Smith–bald, thin, dark almost black eyes–exudes the coldness you’d want if you were casting someone to play the heartless CEO of an evil mega-corporation. Mayer, on the other hand, is blonde, blue-eyed, petite, with a softness to the way she speaks and holds herself.

In other ways, the comparison between them might be apt. Richard Smith oversaw one of the most successful periods in his company’s history, by turning Equifax into a prolific data aggregator. But a lust for newer, bigger data streams overshadowed the need to protect it all.

Marissa Mayer, during some of those same years, was diversifying Yahoo, and changing the culture from the inside. But that same provocateur attitude which landed her on Forbes lists also masked a chaotic business environment rife with bad decisions and resentments. In a mad dash to modernize Yahoo for a younger audience, for example, Yahoo acquired Tumblr for over a billion dollars in 2013. Then we all stopped using Tumblr. They also adopted over 50 other companies in just a few years’ time, including such illustrious brands as “Snip.it,” “Rondee,” “Tomfoolery” and “Bread.”

Remember Bread? All the cool kids were on Bread!

Mayer’s attempts to revitalize office culture were equally fraught. She instituted a ban on remote employees. Now, on the face of it, this doesn’t seem like such a bad idea: even today, there’s still an ongoing debate about how working from home affects productivity, for example. But this wasn’t a suggestion to cut down on remote workers, it was a ban on existing employees. Some of those employees had reason to be home. Take, for example, Marissa Mayer, who herself worked from home while pregnant, and built an entire nursery room beside her office. Not all Yahoo employees had such luxuries.

In addition to the remote work ban, Mayer deployed a performance review system whereby managers were recommended to rank their employees from most to least valuable, and fire those at the bottom end of the curve. Not only was this system dubiously legal; not all managers had employees they wanted to fire.

FBI ORDER

But nothing better encapsulated the discord at Yahoo during its final years than when the FBI came knocking.

After the San Bernardino terrorist attack in 2015, the FBI ordered Apple to break into the iPhone used in the attack. Apple refused. In a long, public battle with the most powerful authorities in the U.S. government, Apple steadfastly rejected the notion that they should have to break their own device security in order to service law enforcement, even in such an extreme case.

That same year, the FBI visited Yahoo. They requested that the company search its email databases for a particular set of characters (we don’t know exactly what). In order to meet the request, Yahoo would have to build a new, custom software tool to read all of its users’ emails. In response, Yahoo said: sure thing.

But, actually, it wasn’t Yahoo that agreed so much as Marissa Mayer, and her legal counsel. The only other people in the loop were the email engineers who built the tool and deployed it across all Yahoo email accounts.

You’d expect a top secret FBI order to be under tight wraps, but what happens when a CEO makes major decisions, like spying on billions of users, without consulting important members of the company? Well, just weeks later, Yahoo’s security team picked up strange code in their system, scraping user data. A hack! They manned the battle stations.

Then Alex Stamos, CISO of the company, found out what was really going on. According to Reuters, which broke the story, quote:

“When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them, hackers could have accessed the stored emails.”

Stamos and his security team were the kinds of people who could’ve warned Marissa Mayer about the security implications of a custom FBI intrusion tool. When a CEO and CISO are disconnected, it’s bad news for security. When a company’s own security team mistakes internal company software for foreign malware, it’s bad news for security.

So why should it have surprised anyone when, one day, hundreds of millions of Yahoo accounts appeared on the dark web?

PEACE_OF_MIND

[Peace] I can say for me personally, selling publicly, $15K for LinkedIn.

[Reporter] How much for the MySpace and Tumblr data?

[Peace] For both, almost $20K.

In June, 2016, a reporter for Wired magazine used encrypted, anonymous instant messaging to interview “Peace_of_Mind,” a dealer of stolen data on the dark web.

[Reporter] how have you got your hands on all these collections of breached user credentials?

[Peace] Well, all these have been hacked through [a] ‘team,’ if you want to call it that, of Russians.
Some have been my work, others by another person.

[Reporter] Are you Russian, yourself?

[Peace] Yes.

To call Peace_of_Mind–or “Peace,” for short–prolific would be an understatement. On their marketplace, “TheRealDeal,” sat a catalogue of over 800 million stolen user accounts across social media platforms. And, behind the scenes, they had plenty more to come.

[Reporter] Do you have more collections that you haven’t put up for sale yet?

[Peace] Yes, about another 1B users or so, again in the same timeframe: 2012-2013.

[Reporter] From which services?

[Peace] Social media and email services, mainly.

VERIZON

While a tech reporter was off texting with a darknet middleman, Yahoo had bigger things on its plate. They were about to sell their company to Verizon, for a deal reported to be somewhere shy of five billion dollars.

Five billion dollars wasn’t a lot for a company once worth 125 billion—a company which not ten years prior shot down an offer for 45 billion. Five billion was an acknowledgement that Yahoo was, basically, done for as a major market player, and that Marissa Mayer was unable to achieve the lofty expectations assigned to her. But five billion was something. And if you were on the inside at Yahoo—if you got to see what was really going on behind closed doors–you might have taken even less.

One month after Peace interviewed with Wired magazine, 200 million fresh-out-of-the-box Yahoo user accounts were posted to TheRealDeal. Vice Motherboard, which first picked up the story, reached out to Yahoo for comment. Yahoo representatives neither confirmed nor denied the report. “We are aware of a claim,” they said.

[Peace] well fuck them they dont want to confirm well better for me they dont do password reset

Peace had a point. The longer Yahoo took to acknowledge the hack, the longer it’d be before users were notified. If users weren’t notified, they wouldn’t know to change their passwords. If they didn’t change their passwords, Peace’s customers would make more money off of them.

This is why responsible corporations disclose data breaches immediately upon discovery, even knowing the legal and reputational consequences they’ll have to face.

But Yahoo did no such thing. They had a five billion dollar deal on the line.

A HISTORY OF HACKING

As they say in America, this wasn’t Yahoo’s first rodeo. By the time they began a quiet investigation into how 200 million accounts ended up on the dark web, they were already well-accustomed to being hacked.

In fact, Marissa Mayer was basically initiated into her job by a major breach. Just four days before she was officially named CEO, Business Insider received a tip that her new home company had been hacked. A pretty eventful first week on the job, you’d have to say.

The issue concerned Associated Content–a company bought by Yahoo in 2010, as part of its long and historic lineage of misguided acquisitions. Associated Content–a site where freelancers get paid for writing articles–was rebranded under the name “Yahoo Voices” in 2011. But while the marketing division was hard at work trying to sell Yahoo Voices to the masses, the security division had less of a role.

According to MIT Technology Review, Associated Content’s IT systems were weakly secured, and nobody at Yahoo bothered to fix them. So by 2012, a hacker group called “D33D’s Company” was able to sneak right in. They downloaded and dumped Yahoo database information, as well as 450,000 user emails and passwords onto the internet.

For the incoming Chief Executive, this was a warning shot. Yahoo was a target, and cybersecurity would play a role in the future of the company. But in case the message wasn’t clear, just half a year later, another incident occurred.

This time it was Yahoo Mail, and the story wasn’t quite as clear. People just started to…get hacked. One by one. After a while, on Twitter, searches for “Yahoo” and “hack” started populating.

That’s when a grey hat hacker named Shahin Ramezany posted a very informative YouTube video, detailing a step-by-step method for how to crack a Yahoo account from any major browser, using a XSS vulnerability in the DOM. Any hacker could do it in just a few minutes, or automate the task. A pretty neat video, until YouTube took it down.

The evening Shahin posted his video, Yahoo deployed a fix for the XSS zero-day. The next day, however, researchers working with Shahin discovered a workaround for the fix. Using only a few modifications to the code and a simple phishing email, they were able to exploit the same vulnerability.

It would have seemed like the end of the ordeal when, a few days later, Yahoo newly confirmed a fix across all its sites. But, later that January, the website The Next Web–which had been breaking the story throughout the month–started getting emails from Yahoo users which suggested something else was going on. These users were receiving emails with a bit.ly link which seemed to direct to an MSNBC news article. Those who clicked the link were brought to a fake MSNBC page, which had actually been registered in Ukraine, and was hosted from a data center in Cyprus (in other words, not the kinds of places you’d expect MSNBC to be operating). Analysts from Bitdefender described the attack path, writing, quote:

“Once the user lands on the alleged MSNBC page, a piece of JavaScript code inside tries to exploit a known vulnerability (CVE-2012-3414) in the SWF Uploader component on the Yahoo Developers Blog [. . .] Once [the hackers] have the log-in cookie, they can authenticate into the victim’s account and send spam or harvest contacts’ email addresses for other spam campaigns.”

Other account holders didn’t even get the phishing emails, yet were still compromised. One person, speaking anonymously, claimed that their dummy account–an account they didn’t ever actually use–had been breached, and their address used to distribute phishing emails to all their contacts.

Whoever was behind this campaign wasn’t some lone grey hat hacker. An individual whose company got snagged in the campaign told TNW, quote:

“We were hacked at the end of January. They spammed everyone in the “contact” folder and deleted all the contacts. We just had another yahoo account hacked yesterday. Not only did it spam the entire “contact” folder, but we are unable to send out emails or access our “secret question” to change the password.

There was a toll free number to call and when we did so we spoke with people who spoke very poor English, and they asked for a one time fee of $100 for assistance with the issue. When we refused they hung up on us. We called the number twice, the first time we spoke with a woman and the second time we called we spoke with a man. Both times we called when we refused the payment of $100 we were hung up on.”

Exactly who was exploiting Yahoo Mail in January, 2013 is to this day unknown. What’s important are two things.

First: Yahoo claimed to have released fixes on multiple occasions during that month, yet none apparently worked, as users were still reporting being compromised even months afterward. It’s unclear whether Yahoo’s fixes didn’t work, or didn’t exist.

Second, and more importantly: there were other hackers in Yahoo’s systems, at this same time, doing things that neither Yahoo nor anybody else knew about.

NOT A QUIET DEATH

When people say Yahoo’s demise was gradual, quiet, inevitable, they’re wrong. In reality, it was loud, with high ups and downs which, at times, indicated that there was a light at the end of the tunnel. But rather than reach that light, a company trying too hard to be hip, to move fast and break things and revitalize itself, only compounded the problems that were already there.

The new CEO was introduced via a hack of 450,000 user accounts. As she and her team made sweeping changes to personnel, workplace rules, and new acquisitions, they failed to make a commensurate impact in security. As a result, in under a year’s time, Yahoo was hacked on multiple occasions, by multiple entities. And it hardly ended there. One year after the phishing campaign on Yahoo Mail, Yahoo Mail was hacked again, this time via a third-party server.

In fact, we haven’t even gotten to the actual story yet. Everything you’ve just heard: it’s all buildup–scene-setting to give you a proper sense for just how unsettled, how tenuous this House of Cards really was.

It was so tenuous that by the time a Russian hacker with a colorful personality posted 200 million Yahoo accounts for sale on the dark web, they were in the company of plenty of other hackers who’d already breached Yahoo in some form or another.

And 200 million accounts was only an indent in a much deeper, much worse problem. Listen to what Peace said elsewhere in their Wired interview:

[Reporter] It seems like much of the data you’re selling is old [. . .] How did it happen that you came to possess this old data and are only selling it now?

[Peace] Well, these breaches were shared between the team and used for our own purposes.

[Reporter] Why didn’t the crew want to sell the whole collection earlier?

[Peace] It is not of value if data is made public. We had our own use for it and other buyers did as well. In addition buyers expect this type of data to remain private for as long as possible. There are many [databases] not made public for that reason and [in] use for many years to come.

What do we learn from these quotes? That by the time hundreds of millions of online accounts make it onto TheRealDeal, they’ve already been in hackers’ hands for years. And that those hackers use those accounts for their, quote, “own purposes.”

In our next episode of Malicious Life, the consequences of Yahoo breaches will go far, far beyond email spamming, or even black market trading. And 200 million accounts will seem tiny.

[Peace] it’s fun fucking around with these people.