Reuters has reported that Yahoo! secretly scanned customers’ emails on behalf of the NSA and the FBI. The company even “built a custom software program” to monitor the emails for specific information:

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

The mess caused some employees to leave Yahoo:

According to the two former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.”Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

Reuters could not confirm exactly what data Yahoo sent to the feds or if the NSA and FBI asked other companies to spy on emails. But experts said more than likely the two groups approached other companies “since they evidently did not know what email accounts were being used by the target.”

Private surveillance experts have never seen anyone collect real-time data or a request that involved a company to build custom software:

“I’ve never seen that, a wiretap in real time on a ‘selector,'” said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.

“It would be really difficult for a provider to do that,” he added.

This is the second bad news report for those who use Yahoo. Last week, Yahoo admitted hackers breached 500 million accounts back in 2014:

The theft may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers, Yahoo said.

Even in an Internet-dependent population accustomed to the regular occurrence of massive data breaches, the size of this one — thought to be the largest ever in terms of user accounts — is attention-grabbing. And the possibility that another country could be behind the attack adds to the shock factor.