The defendants, including two officers of the Russian Federal Security Service, Dmitry Dokuchaev and Igor Sushchin, were able to gain information about “millions of subscribers” at Yahoo, Google, and other webmail providers, the Justice Department said.
Dokuchaev and Sushchin paid co-conspirators Alexsey Belan and Karim Baratov to access email accounts, the Justice Department said.
Acting Assistant Attorney General Mary McCord said that Belan is a “notorious” criminal hacker — one of the FBI’s most wanted — known for hacking U.S. e-commerce companies.
Bloomberg first reported news of the indictments.
Yahoo disclosed two separate data breaches last year, both among the biggest in history. A 2013 attack revealed in December affected more than 1 billion user accounts. In a separate 2014 attack, disclosed in September, information was stolen from at least 500 million user accounts.
“We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible,” Yahoo told CNBC in a statement.
Verizon agreed to buy Yahoo before the breaches were publicly disclosed. In February, Verizon cut $350 million from its purchase price for Yahoo. Earlier this month, Yahoo CEO Marissa Mayer said she would forgo her annual bonus in the wake of the incidents.
Yahoo’s top lawyer, Ronald Bell, resigned from the company, after the board of directors concluded that Yahoo’s legal team did notsufficiently pursue information about the hacks.
McCord highlighted the efforts of Yahoo and Google, who cooperated with the investigation and worked “tirelessly.”
“When you are going against the resources of a nation state, you cannot go it alone. You do not have to….We can put the full capabilities of the United States behind you,” McCord said.
— Reporting by NBC’s Pete Williams. Written by CNBC’s Anita Balakrishnan.
Earlier today, the U.S. Department of Justice announced the indictment of four defendants, two Russian intelligence officers and two state-sponsored hackers, for the theft of Yahoo user data in late 2014, as well as cookie forging to obtain access to user accounts on our network in 2015 and 2016. The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible.
This morning’s announcement is consistent with our prior disclosures. On September 22, 2016, we disclosed our belief that a state-sponsored actor had stolen a copy of certain user account information for approximately 500 million user accounts in late 2014. On December 14, 2016, we provided details on the forging of cookies to gain access to certain user accounts without a password and we linked some of that activity to the same state-sponsored actor.
We appreciate the FBI’s diligent investigative work and the DOJ’s decisive action to bring to justice those responsible for the crimes against Yahoo and its users. We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime.