More details about Yahoo’s security breaches from last year have been revealed. It turns out that the company’s leadership was made aware of the cyberattack, but failed to appreciate the severity of the threat.
A filing submitted to the US Securities and Exchange Commission paints a picture of management that simply didn’t understand what it was dealing with. The statement says “senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool….. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.”
The filing also notes that the attacks were conducted by a state sponsored attacker who managed to clone Yahoo’s cookies in 2014; and then returned with the same method to steal data in 2015 and 2016. Overall, some 32 million user accounts were affected by the breach.
As a result of these findings, CEO Marissa Mayer has announced that she is foregoing her annual bonus and equity awards for this year. Her note published on Tumblr reads:
“I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”
It’s not exactly surprising that Mayer is giving up her bonus. The security issues that plague Yahoo caused Verizon to knock some $350 million off its offer to buy the company. That’s not to mention that Yahoo itself may not be around after the sale of its assets.