Federal prosecutors announced charges against four men, including two Russian intelligence agents, on Wednesday for their roles in a conspiracy that led to the 2014 theft of 500 million Yahoo accounts, one of the largest known data breaches.
The four men together face 47 criminal charges, including conspiracy, computer fraud, economic espionage, theft of trade secrets and aggravated identity theft, the Justice Department said in a news release.
The two agents of Russia’s Federal Security Service, known as the F.S.B., who were charged are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident, and Igor Anatolyevich Sushchin, 43, a Russian national and resident. The other two defendants are Alexsey Alexseyevich Belan, 29, a Russian national and resident; and Karim Baratov, 22, a Canadian and Kazakh national and a resident of Canada.
“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” the acting assistant attorney general, Mary B. McCord, said in a statement.
Yahoo disclosed the theft of the data last September and said it was working with law enforcement authorities to trace the perpetrators. The hackers were able to use the stolen information, which included personal data as well as encrypted passwords, to create a tool that let them access 32 million accounts.
Yahoo has said for months that it believed that hackers sponsored by a foreign state were behind the attack but it had refused to provide details of what occurred because the federal inquiry was ongoing.
However, an internal investigation by the internet company’s board found that some senior executives and information security personnel were aware of the breach shortly after it occurred but “failed to properly comprehend or investigate” the situation. Two weeks ago, the company’s top lawyer, Ronald S. Bell, resigned over the incident, and its chief executive, Marissa Mayer, lost her 2016 bonus and 2017 stock compensation.
A separate, larger breach of one billion accounts occurred in 2013 but was only disclosed by the company three months ago. Yahoo has said it has not been able to glean much information about that attack, which was uncovered by InfoArmor, an Arizona security firm.
That theft included phone numbers, birth dates and weakly encrypted passwords and compromised the accounts of several million military and civilian government employees from dozens of nations, including more than 150,000 Americans.
The two thefts, the largest known breaches of a private company’s computer systems, had threatened to scuttle a deal that Yahoo struck last summer to sell its internet businesses to Verizon Communications.
Verizon sought to shave $925 million from the original $4.8 billion deal following news of the attacks, according to a securities filing on Monday. Last month, the two companies finally agreed to a $350 million price reduction.