The US Department of Justice has charged four Russian-connected hackers with crimes related to the Yahoo mega-breach.
The charges apply to the 2014 data breach that affected 500 million users and exposed account information, which could include names, email addresses, telephone numbers, birthdays, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The hackers then used that information to gain unauthorised access into Google and other webmail providers.
The Justice Department announced indictments of four people in connection with the attacks, including two Russian intelligence agency FSB employees, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, as well as Russian criminal hacker Alexsey Alexseyevich Belan and Canadian criminal hacker Karim Baratov.
The charges include computer fraud and abuse, economic espionage, engaging in theft of trade secrets, wire fraud, unauthorised computer access for commercial or private financial gain, and identity theft.
"The Department of Justice is continuing to send a powerful message that we will not allow individuals, groups, nation-states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country," said Mary McCord, acting assistant attorney general, National Security Division, at a press conference yesterday.
The 2014 data breach was originally considered one of the largest data breaches in history when it was disclosed in September, until a second, larger breach was disclosed in December. The second breach, which was discovered after further forensic expert analysis into the 2014 breach, affected 1 billion user accounts in August 2013, with an unauthorised third party stealing data that included names, email addresses, telephone numbers, dates of birth and hashed passwords, as well as, in some cases, encrypted or unencrypted security questions and answers.
The breach had wide-reaching impact on Yahoo, including causing it to slash the price of its acquisition by Verizon by $350 million and CEO Marissa Mayer to see the loss of millions of dollars in her cash and stock bonuses.
Yahoo originally had attributed the attack to a state-sponsored hacker, although that has not been proven. McCord said it appears the hackers used the attack for intelligence gathering as well as financial gain.
Paul Abbate, FBI executive assistant director, criminal, cyber, response and services division, said at the conference that the charges show that the U.S. intends to find and prosecute hackers that target US citizens or companies. McCord said the Justice Department was still evaluating further sanctions allowed under executive order, saying: "the tools that are potentially on the table remain on the table".