The U.S. Department of Justice charged four Russian-connected hackers with crimes related to the Yahoo mega-breach, a move solution providers said they hope sends a signal to hackers about the consequences of a high-profile attack.
The charges apply to the 2014 data breach that affected 500 million users and exposed account information, which could include names, email addresses, telephone numbers, birthdays, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The hackers then used that information to gain unauthorized access into Google and other webmail providers.
The Justice Department announced indictments of four people in connection with the attacks, including two Russian intelligence agency FSB employees, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, as well as Russian criminal hacker Alexsey Alexseyevich Belan and Canadian criminal hacker Karim Baratov.
The charges include computer fraud and abuse, economic espionage, engaging in theft of trade secrets, wire fraud, unauthorized computer access for commercial or private financial gain, and identity theft.
"The Department of Justice is continuing to send a powerful message that we will not allow individuals, groups, nation-states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country," said Mary McCord, acting assistant attorney general, National Security Division, at a press conference Wednesday.
The 2014 data breach originally was considered one of the largest data breaches in history when it was disclosed in September, until a second, larger breach was disclosed in December. The second breach, which was discovered after further forensic expert analysis into the 2014 breach, affected 1 billion user accounts in August 2013, with an unauthorized third party stealing data that included names, email addresses, telephone numbers, dates of birth and hashed passwords, as well as, in some cases, encrypted or unencrypted security questions and answers.
The breach had wide-reaching impact on Yahoo, including causing it to slash the price of its acquisition by Verizon by $350 million and CEO Marissa Mayer to see the loss of millions of dollars in her cash and stock bonuses.
Yahoo originally had attributed the attack to a state-sponsored hacker, although that has not been proven. McCord said it appears the hackers used the attack for intelligence gathering as well as financial gain.
Paul Abbate, FBI executive assistant director, criminal, cyber, response and services division, said at the conference that the charges show that the U.S. intends to find and prosecute hackers that target U.S. citizens or companies. McCord said the Justic Department is still evaluating further sanctions allowed under executive order, saying "the tools that are potentially on the table remain on the table."