Yahoo breach cost CEO Marissa Mayer millions in bonuses

2 Mar 2017

Yahoo. Image: Todd A. Merport/Shutterstock

Yahoo’s public stumble towards a sale to Verizon has revealed that Marissa Mayer, its current CEO, missed out on $2m in bonuses after recent hacks.

In September last year, Yahoo revealed a 2014 hack that hit around 500m accounts, which was attributed to an unnamed foreign government.

Three months later, it emerged that Yahoo suffered a separate, monumental breach in 2013, with an unauthorised third party obtaining data from more than 1bn accounts.

The damage was undeniable, putting Verizon’s purchase of Yahoo under threat. The previously agreed price of $4.8bn was immediately put under review, and has been reportedly reduced to below $4.5bn.

The deal has still not been settled, with Yahoo CEO Marissa Mayer now revealing that the former breach ultimately cost her significant sums of money in the form of bonuses and stock.

Mayer’s annual bonus is worth in the region of $2m, with significant annual stock options also valued at millions of dollars. This was all foregone by Mayer, who instead redistributed it to the company’s staff.

The 2014 hack saw data – potentially including names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers – accessed by a third party.

“As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and [we] reported it to law enforcement as well as to the 26 users that we understood were impacted,” she said in a post on Tumblr.

“When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators and government agencies.

“However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year, and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”

The statement from Mayer comes as Yahoo revealed this particular breach continued in subsequent years, with the same attacker involved in cookie forging yet again in 2015 and 2016.

Just 26 “specifically targeted” users were originally contacted, something the US Securities and Exchange Commission appears less than impressed with.

“While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company’s information security team,” it said in a statement.

Yahoo. Image: Todd A. Merport/Shutterstock

Updated, 2.31pm, 2 March 2017: This article was amended to show more accurately the number of accounts breached. 

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com