Russian Hackers Indicted for Yahoo Breaches
When Yahoo disclosed last year that more than 500 million of its user accounts had been hacked, the company blamed state-sponsored hackers. Now there's proof that some of those hackers were working for a Russian spy agency.
A federal grand jury indicted four alleged hackers on Wednesday, including two officers of the Russian Federal Security Service (FSB). The defendants stole information from at least 500 million Yahoo accounts, according to the U.S. Department of Justice, using it to hack into numerous accounts at other email providers and even steal credit card numbers.
The indicted hackers are FSB officers Dmitry Dokuchaev and Igor Sushchin, Russian national Alexsey Belan and Canadian Karim Baratov. They conspired to hack Yahoo as early as 2014, according to the DOJ, and were successful in repeatedly accessing the company's user accounts until September 2016, when Yahoo disclosed the breach and notified potentially affected users.
The indictment includes 47 counts of conspiracy to commit espionage, wire fraud, computer device fraud and identity theft, among other crimes. Belan initiated the hack in November 2014 by stealing Yahoo's cookie "minting" source code, which enabled the defendants to manufacture account cookies to then gain access to individual user accounts, according to the indictment.
Some of the accounts the hackers had access to include those belonging to Russian journalists, U.S. and Russian government officials and employees of financial, transportation and other companies, the DOJ said. The individual targets were not disclosed. U.S. Attorney General Jeff Sessions said in a statement that the attack was "one of the largest data breaches in history."
"The indictment unequivocally shows the attacks on Yahoo were state-sponsored," Yahoo Assistant General Counsel Chris Madsen said in a statement. "We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible."
After it disclosed the state-sponsored attack in September, Yahoo announced an even larger breach that affected 1 billion user accounts in December. The company said the two attacks were likely unrelated, though it was unable to identify how the 1 billion accounts in the second attack were compromised. Earlier this month, Yahoo also revealed a breach of 32 million accounts.
All these attacks ultimately jeopardized the Yahoo-Verizon deal; in February, Verizon reduced its purchase price of Yahoo by $350 million.