Last Thursday, Recode broke the news that hackers had stolen 500 million Yahoo users’ private data. More unsettling was the fact that the hack occurred in 2014, and Yahoo buried the story. The New York Times reports Wednesday that top executives, including CEO Marissa Mayer, chose to ignore Yahoo security experts and leave vulnerabilities exploitable.
The security team at Yahoo, nicknamed the “Paranoids,” told company executives that a few steps would mitigate the hackers’ threat. Google was also victim to the 2014 hack, reportedly perpetrated by the Chinese military. Unlike Yahoo, Google disclosed the hack and invested “hundreds of millions of dollars in security infrastructure” to patch the holes, the New York Times reports. The Paranoids requested that all users be forced to change their passwords, and pushed for end-to-end encryption for all emails. Both steps would have curtailed the hack’s effects. Mayer, along with her executives, vetoed the suggestions.
At the time, Yahoo felt that adopting such security measures would lead users to seek out new email clients. And, since it was already hemorrhaging users, the executives ruled that the sacrifice was too great. Instead of confronting the issue, and taking requisite steps to solve it, Yahoo attempted to bury news of the breach. Last week, two years after its users’ “names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions” were compromised in the hack, Yahoo finally fessed up.
It’s a useful insight into much of the modern-day tech world’s priorities. User retention is paramount; security takes a backseat. If something increases all customers’ security but could be seen as an inconvenience, and thereby could lead users to abandon the technology, website, or service, then the upgrade is not worth the backlash. Yahoo has been long been losing blood, and it officially bit the dust in late July — but its missteps are not exclusive. Many, though not all tech companies, employ this unconscionable math. Losing customers, to these companies’ executives, is more important than customer security.