When Yahoo experienced the nation’s largest hacking attack in August 2013, it lacked a permanent information security chief.

By Wendy Lee

When Yahoo experienced the nation’s largest hacking attack, with information stolen from more than 1 billion user accounts in August 2013, it lacked a permanent information security chief.

The Sunnyvale company has struggled to retain top cybersecurity executives. Since 2012, Yahoo has had three chief information security officers — a role responsible for guarding against hacking threats and patching weaknesses quickly. For roughly a year, the company was searching for someone to permanently fill the position. That’s when the record-breaking breach occurred.

Yahoo’s churn of security executives may seem rapid, but it is only slightly faster than what’s considered normal among large companies. The average tenure of chief information security officers is 2.1 years, according to the Ponemon Institute, a research firm. Often those who serve in these roles are heavily recruited by other firms, because executives with the right skill set are scarce. But as massive data breaches become more frequent, concern has mounted that the lack of continuity could cause problems.

During Mayer’s tenure, Yahoo experienced two enormous data breaches — the one in August 2013 that affected more than 1 billion user accounts and a separate incident in 2014 impacting at least 500 million accounts. The company said it still does not know what caused the August 2013 breach and believes a state-sponsored actor was behind the 2014 hack. Security experts say it’s possible the hacks could have happened to any company, but Yahoo could have taken additional steps to protect users. For example, some of the data taken from users in 2013 were scrambling passwords using MD5, which is considered an outdated technology because software tools can uncover the actual passwords, experts said. (The company switched to a more secure way of scrambling passwords in summer 2013.)

“(It’s) very easy to crack,” Apostolos Giannakidis, a lead security engineer at Waratek, which specializes in application security, said of MD5. “Yahoo should have made the effort to upgrade their infrastructure.”

At many tech firms, the security team is often separate from the engineers building products, analysts said. Sometimes security workers will make suggestions that may slow down an app but increase protections.

“There is just a natural tension between those two, and undoubtedly Yahoo, like a lot of groups, got caught in the middle,” said James Lee, chief marketing officer at Waratek. “The people that are developing those apps have security on their checklist, but they are focused on getting the app in on time, on budget with the right features and functionality.”

Read the full article here