Yahoo is at the center of a new damning report in which sources claim the company built its own software to spy on all incoming Yahoo Mail emails on behalf of the United States government. According to the sources, the software monitored the incoming emails for certain bits of information as provided by either the NSA or the FBI, resulting in “hundreds of millions” of accounts suffering privacy violations. This spying allegedly resulted in former Chief Information Security Officer Alex Stamos leaving the company, as sources say he disagreed with CEO Marissa Mayer’s decision to comply with government orders.
The information comes from Reuters, which said it received its information from a pair of former Yahoo employees and a third person who is “apprised of the events.” While it isn’t known whether Yahoo ever ended up handing over information it found via this alleged software, the report is still startling in its accusations, claiming that Yahoo made the custom software as the result of a classified directive sent from the government to the Yahoo legal team.
It isn’t clear who issued the directive — whether it was the NSA working through the FBI or was the FBI itself, or a different agency altogether. The demands — which are thought to have been given to other companies as well, though that is unverified — are likely due to the agency not knowing the email addresses of the intended targets. What information was sought is unknown, though reportedly involved a string of characters — so, for example, it could have been specific words or sentences.
The government directive supposedly caused a rift behind closed doors, with some company executives disagreeing with Mayer’s decision to comply. This decision was reportedly made some time last year, with sources saying Yahoo had determined it would lose if it tried to fight the order. This upset some of the employees who ultimately ended up working under the matter, as well.
The program itself was said to have been written by the Yahoo Mail email engineers and to have pulled in any incoming emails that contained the character strings of interest. The email were reportedly then stored in a way that U.S. spies could remotely access them. Sources claim Yahoo didn’t consult with the Yahoo security team at points during this, instead leaving the security team to learn about it in May of 2015 a short while after it went live. Sources say the team had originally thought they’d been hacked.
The sources go on to claim that Stamos, who resigned from his Yahoo role after learning about the software, said there was a ‘programming flaw’ with it that left the siphoned emails exposed to outside hackers. He reportedly said there was no decision left for him that didn’t result in user security violations.
The report, though unverifiable at this time, serves a new massive blow to the already troubled company. In recent weeks, Yahoo has disclosed the hacking of more than 500 million accounts by some state-sponsored hacker. The fallout from that has already been massive, with many users losing whatever trust they had remaining in Yahoo. In light of this new report, it is likely all of Yahoo’s past security disclosures will mean very little to any users who remain with the company.