The Justice Department said Wednesday that two Russian intelligence agents and two other people have been indicted on charges stemming from the hacking of at least half a billion Yahoo accounts.
The defendants, including Russian Federal Security Service agents Dmitry Dokuchaev and Igor Sushchin, were able to gain information about "millions of subscribers" at Yahoo, Google, and other webmail providers as late as late last year, the Justice Department said.
Dokuchaev and Sushchin paid co-conspirators Alexsey Belan and Karim Baratov to access email accounts, the Justice Department said.
Acting Assistant Attorney General Mary McCord said that Belan is a "notorious" criminal hacker — one of the FBI's most wanted — known for hacking U.S. e-commerce companies. Belan used the Yahoo attacks to launch spam campaigns, searched user communications for credit card and gift card numbers, and other schemes to "line his own pockets with money," McCord said.
The FSB, an intelligence and law enforcement agency and a successor to the Soviet KGB — used Belan to break into Yahoo's network instead of detaining him, McCord said.
Baratov, a Canadian, was arrested on Tuesday, the DOJ said. The three others may be in Russia, which doesn't have an extradition treaty with the United States.
Belan was arrested in a European country on a request from the U.S. in June 2013, but he was able to escape to Russia before he could be extradited, the Justice Department said.
Yahoo disclosed two separate data breaches last year, among the biggest in history. A 2013 attack revealed in December affected more than 1 billion user accounts. In a separate 2014 attack, disclosed in September, information was stolen from at least 500 million user accounts.
The Justice Department said the indictments by a federal grand jury in Northern California concerned at least 500 million Yahoo accounts for which account information was stolen, and at least 30 million Yahoo accounts for which account contents. Eighteen accounts with other providers, such as Google, were affected.
Targets included Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies, according to the Justice Department.
"We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible," Yahoo said in a statement.
Verizon agreed to buy Yahoo before the breaches were disclosed. In February, Verizon cut $350 million from its purchase price for Yahoo. Earlier this month, Yahoo CEO Marissa Mayer said she would forgo her annual bonus in the wake of the intrusions.
Yahoo's top lawyer, Ronald Bell, resigned this year, after the board of directors concluded that Yahoo's legal team did not sufficiently pursue information about the hacks.
McCord highlighted the efforts of Yahoo and Google officials, who she said "tirelessly" cooperated with the investigation.
"It is very important for corporations around the country to know, when you are going against the resources and backing of a nation-state, it is not a fair fight, and it is not a fight you are likely to win alone," McCord said. "But you do not have to go it alone. We can put the full capabilities of the United States behind you to make cases like this, but we cannot do it without your help."
Brian Stretch, U.S. attorney for the Northern District of California, said technology companies must share a common goal with the DOJ: to protect private communications from cybercriminals under the rule of law.
"Silicon Valley is home to the world's leading technology companies," Stretch said. "In recent years, the DOJ has made cybersecurity a top priority. ... Part of this effort has involved conducting extensive outreach throughout Silicon Valley."
Earlier today, the U.S. Department of Justice announced the indictment of four defendants, two Russian intelligence officers and two state-sponsored hackers, for the theft of Yahoo user data in late 2014, as well as cookie forging to obtain access to user accounts on our network in 2015 and 2016. The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible.
This morning's announcement is consistent with our prior disclosures. On September 22, 2016, we disclosed our belief that a state-sponsored actor had stolen a copy of certain user account information for approximately 500 million user accounts in late 2014. On December 14, 2016, we provided details on the forging of cookies to gain access to certain user accounts without a password and we linked some of that activity to the same state-sponsored actor.
We appreciate the FBI's diligent investigative work and the DOJ's decisive action to bring to justice those responsible for the crimes against Yahoo and its users. We're committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime.