Marissa Mayer's big mistake after the Yahoo hack, and why she was yelling at a NYT reporter

From https://marissamayr.tumblr.com/

Breach, Epiosde 2, sets the scene at Yahoo when Marissa Meyer took over, and very quickly became the one of the world's most famous CEOs. But underneath the glamour and bold decisions, Yahoo soon had a massive problem. How did she handle it? Yelling at a New York Times reporter on the phone probably wasn't her best moment, as you'll see when you listen (click play above).

Breach is a new podcast I am hosting with producer Alia Tavakolian of Spoke Media. It's an investigation into the Yahoo hack, which was the biggest hack ever. You can listen to episode 2 by clicking on the play button here, or by going to Stitcher or iTunes. There's a partial transcript below if you aren't quite persuaded to join the podcast world just yet.

Epiosde 1 (click here to start at the beginning) sets the scene for what's to come later: details of an alleged Russian conspiracy, including our jailhouse correspondence with one suspect who's already pleaded guilty. But in episode 1, I explain why the Yahoo hack is so much more than your run-of-the-mill smash-and-grab-credit-card-numbers kind of hack.

ALIA:

So we talked to Nicole Perlroth from the New York Times, right. She told this story about- do you know what story I’m talking about?

BOB:

I sure do, that was the moment.

ALIA:

That was the moment.

BOB:

Yeah yeah, I thought that we could start the entire podcast with that moment.

NICOLE:

You know it was really surreal. I was with my husband. And I get this call and it's from my coworker who I had written one of the initial Yahoo stories with, and he said Marissa wants to talk to us you have to get on the phone.

BOB:

When this big event occurred and it started to get covered by journalists, Yahoo made this rather unusual decision for its time, which was even though they knew many millions of people had their email addresses and encrypted passwords stolen, Yahoo did not tell their users to reset their passwords, which is what in almost every other major incident like this, that's the first step that the security team insists on. And Nicole wrote that up in her story

NICOLE:

So my husband and I go back to his car, it’s one of those situations where my phone is automatically Bluetoothed up to the car, and I don't have time to really switch it off, so my husband’s sitting there hearing this whole thing, and Marissa’s tone is just yelling.

ALIA:

Can you just for a second like play Marissa Mayer, and like try to convince me, like I just don't see the reason- how could you possibly convince somebody that it's not an important security step?

BOB:

These passwords were encrypted, they’re useless to whoever took them, so why would we tell our users that they had to change them? That would just cause unnecessary confusion and frustration for our users.

ALIA:

But these hackers have all this information. Somebody's looking at it on the dark web.

BOB:

But it’s useless, it’s scrambled, it doesn't do them any good.

NICOLE:

And you know if you cover this, you know how laughable that is, because you know how many ways there are to crack these passwords.

BOB:

2010’s way of encrypting doesn't do any good in 2015, because criminals have figured out how to break that level of encryption. So it's kind of an arms race game.

NICOLE:

It was really weird to be explaining basic security to the chief executive of one of the biggest companies in Silicon Valley. And her arguments just weren’t adding up.

BOB:

And she wasn't arguing that the story was incorrect, but what Marissa was trying to do and for the life of me I will never understand why an executive would ever do this, was she was trying to personally convince Nicole that it was an unnecessary security step. Let's say Nicole agreed with her at that point. What good would that do? The story wasn't inaccurate. But what's really happening is this: Marissa made a decision which I would say is her her tragic flaw. This would be the moment. Marissa made a decision that -and she knew this- if they sent out a note to everyone saying change your password, already they had millions and millions of accounts that were dormant. And that would be the one step that would have pushed a whole bunch of their user base off the cliff. People would've said ‘you know what screw it I'm not going to bother resetting my password. I don't use my Yahoo account anyway.’ So because she was preening for sale, it would be devastating to see tens of millions of users disappear. So she decided to make this calculated risk. So she picked the the needs of her company over the needs of her consumers, quite clearly. And it was more than a bad choice, it's a choice that deserves all the criticism it got.

ALIA:

And the choice was driven ultimately by money.

BOB:

The choice was driven by money over taking care of people. In Silicon Valley, and I think rightly so, Marissa had this reputation for being the defender of consumers. But what she really was was the defender of usability, of ease-of-use, of making things incredibly friendly and intuitive. People who are involved in cybersecurity do not want things to be easy. Easy is bad. They want to put speed bumps in front of you. The easier it is for you to get your data, the easier it is for someone who’s a bad guy to get your data. So you can see how there is this natural tension between usability and security. They’re basically sworn enemies, and Marissa was right at the center of that.

ALIA:

I’d personally love to chat with her, but Marissa didn’t respond to our emails for comment.