Two Russian spies, one well-known Russian hacker and one Canadian have been charged with stealing sensitive information from 500 million Yahoo user accounts in one of corporate America’s biggest-known hacks.
The 47-count indictment — which includes charges of conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud, and aggravated identity theft — was announced Wednesday morning by the U.S. Justice Department.
Yahoo Inc., the beleaguered Sunnyvale, Calif.-based internet firm, disclosed the hack in September, saying that cyber thieves in 2014 had pilfered names, email addresses, telephone numbers, dates of birth, passwords and some encrypted and unencrypted security questions and answers.
The number of user accounts affected was massive, even compared with other major data breaches. Yahoo has said it believed it was the victim of a “state-sponsored” attack.
The indictment announced Wednesday, handed down by a federal grand jury in San Francisco, names Dmitry Dokuchaev and Igor Sushchin, described as Russian operatives of the Kremlin’s intelligence agency; Alexsey Belan, a Russian national on the FBI’s list of most wanted hackers; and Karim Baratov, described as a Canadian hacker.
Putting the Russian suspects in handcuffs will not be easy: There is no extradition treaty with Moscow, and there is no reason to believe the Kremlin will want to hand over its spies and citizens to face charges in the United States.
However, the officials said, they believe that such charges are useful for sending a message that adversaries face consequences for targeting U.S. companies for traditional spying or financial gain. They likened the move to indictments filed in 2014 against five Chinese military officers who were accused of hacking and stealing information from U.S. companies to help the Chinese government and businesses.
Obama administration officials said last year that the indictment of the Chinese officials and other efforts persuaded Beijing to somewhat curtail its aggressive cyber efforts to steal trade secrets of U.S. companies.
The hack of Yahoo had dual motives, the U.S. officials said: One was to gather information on Russian journalists and U.S. and Russian officials, as well as employees of other computer networks to exploit, as part of more traditional spying efforts. The other motive was financial gain for the criminal hackers, authorities said.
After disclosing this hack last year, Yahoo revealed an even larger data breach that it said was separate. Disclosure of the two incidents led Verizon Communications Inc., which agreed last year to buy Yahoo’s core internet business, to cut $350 million off the purchase price; it is now set to pay $4.5 billion.
Acknowledging that the breaches happened under her watch, Yahoo Chief Executive Marissa Mayer offered to forgo her annual bonus and stock grant. She is still set to collect a severance package worth about $23 million as part of the Verizon deal. Former employees have said Mayer and other senior Yahoo executives resisted suggestions to bolster defenses and cybersecurity investigations.
The Verizon deal keeps Yahoo on the hook for most expenses from lawsuits and government investigations tied to the hacks. The acquisition is expected to close in the second quarter of this year.