Two Russian spies are among four individuals indicted by the US Department of Justice (DOJ) over a huge theft of Yahoo user accounts.
The members of the FSB, the Russian intelligence agency, conspired with criminal hackers, according to DOJ officials announcing the charges.
Previously, Yahoo said “state-sponsored” hackers were behind the 2014 breach affecting 500 million accounts.
The suspects are also alleged to have targeted Google accounts.
Hacking was directed at Russian and US government officials, including security, diplomatic and military personnel, according to the DOJ.
The indictment also alleged that 30 million Yahoo accounts were commandeered without authorisation for use in a spam campaign.
“We will not allow individuals, groups, nation states, or a combination of them to compromise the privacy of our citizens, the economic interests of our companies, or the security of our country,” said acting attorney general Mary McCord, announcing the charges.
The suspects were named in a DOJ press release as:
- Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and FSB officer
- Igor Anatolyevich Sushchin, 43, a Russian national and FSB officer
- Alexsey Alexseyevich Belan, 29, a Russian national and resident
- Karim Baratov, 22, a Canadian and Kazakh national and a resident of Canada
Baratov was arrested on 14 March in Canada.
One of the alleged hackers has been on of the FBI’s most wanted cyber criminals for more than three years, according to acting Att Gen McCord.
The suspect in question, Alexsey Belan, was aided by the FSB who – according to the DOJ – provided him with “sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by US and other law enforcement agencies outside Russia”.
“We would hope [Russia] would respect our criminal justice system and respect these charges,” said acting Att Gen McCord, acknowledging the fact that the US does not have an extradition treaty with Russia.
“The United Kingdom’s MI5 made substantial contributions to the advancement of this investigation,” added FBI executive assistant director Paul Abbate.
Yahoo was criticised for the delay in informing users about the 2014 breach.
The stolen data included names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card data, according to Yahoo.
Last year, users were advised to change their passwords.
Around eight million UK accounts were believed to have been affected – including some users of BT and Sky email services.
“The indictment unequivocally shows the attacks on Yahoo were state-sponsored,” Yahoo said in a statement, responding to the DOJ announcement.
“We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible.”
The DOJ said that the charges have no connection to the hack on the Democratic National Convention last year.