The Justice Department charged four men — two of whom are Russian Federal Security Service, or FSB, officers — Wednesday for stealing the personal information of at least 500 million Yahoo customers in a massive breach that rocked the company's reputation and slashed hundreds of millions of dollars off its sale to Verizon.
The two non-FSB defendants were criminal hackers hired by the Russian officials to breach Yahoo's network. The stolen account information was used to gain additional content from customers' Yahoo accounts and accounts tied to other email providers, including Google.
Both Russian journalists and American diplomatic officials were then targeted using the data stolen in the hack. The charges for what was one of the largest computer intrusions in American history included conspiracy, economic espionage, wire fraud, and aggravated identity theft.
In a move that Acting Assistant Attorney General Mary McCord described as "beyond the pale," the FSB officials behind the hack were members of a Russian unit that serves as the FBI's liaison on cybercrime in Moscow. "These are the very people that we are supposed to work with cooperatively,” she said during a press conference Wednesday. "They turned against that type of work.”
One of the defendants, Alexsey Alexseyevich Belan, had been on the FBI's most-wanted list for more than three years for cybercrime, McCord said. Another defendant, Karim Baratov, was arrested for the Yahoo breach yesterday in Canada. The US government will ask Russian law enforcement officials to extradite the remaining three defendants, who reside in Russia, said Paul Abbate, the executive assistant director of the FBI's cyber branch.
"The indictment unequivocally shows the attacks on Yahoo were state-sponsored," said Chris Madsen, Yahoo's assistant general counsel and head of global law enforcement. "We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."
In December, Yahoo first revealed that hackers had stolen customer information from 1 billion Yahoo accounts in an attack dating back to 2013. The colossal breach was separate from the major intrusion that the Russian officials were charged with. That data breach was announced in September, when Yahoo said 500 million accounts had been compromised by a state-sponsored hacker in 2014. In both cases Yahoo said users' email addresses, telephone numbers, dates of birth, and passwords were likely stolen.
News of the attacks came just months after Verizon announced plans to buy Yahoo for $4.83 billion last summer. The embarrassing disclosures prompted Verizon to seek a nearly 20% discount of Yahoo's sale price, totaling $925 million. But the two companies instead agreed to slash $395 million off the deal price because of the damage from the breaches.
Following the company's review of the 2014 breach, Yahoo said CEO Marissa Mayer would not receive her 2016 annual bonus. Mayer also said she would forgo her 2017 equity award. Together, the pay cut appears to amount to a personal loss of $14 million, but Mayer will still receive a $23 million "golden parachute" once Verizon's purchase of Yahoo is completed later this year.
Read the indictment here:
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.