The US department of justice (DoJ) has charged two Russian intelligence officers and their conspirators for hacking Yahoo in 2014.
The charge says the two officers from the Russian Federal Security Services (FSB) protected, directed, facilitated and paid criminal hackers to infiltrate Yahoo and hack 500m accounts.
Here is what you need to know about the hack and what happens next.
The 2014 Yahoo hack
Yahoo has been hit with several security breaches in the past few years but this is one of the most serious cases due to the large amount of accounts involved, 500m in total, and the fact Yahoo has been saying for a few months now that it believed the hack was state-sponsored.
Account information was taken from all those affected and may have included names, email address, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Who was involved in the hack?
According to the DoJ’s charge, four defendants have been indicted for charges including computer hacking, economic espionage and other criminal offence in connection with conspiracy.
The FSB officers, Dmitry Dokuchaev and Igor Sushchin, are accused of ordering two hackers, Alexsey Belan and Karim Baratov, to collect the information.
Belan was named as one of the FBI’s cyber most wanted criminals in November 2013. After being arrested in a European country, he managed to escape to Russia before he could be extradited to the US on other charges.
The DoJ believes the defendants used unauthorised access to Yahoo’s systems to steal account data before using it to gain access to the email accounts of Russian journalists, Russian and US government officials, and other companies.
US attorney general Jeff Sessions said:
The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”
What happens now?
The DoJ statement stresses that the indictment is only an accusation and the defendants should be presumed innocent unless proven guilty.
One of the hackers involved, Baratov, is a Canadian resident and was arrested two days ago in his home country on orders of the DoJ. The matter is now pending with the Canadian authorities.
The second hacker, Belan, is the subject of a so-called red notice which requests that Interpol member nations arrest him pending extradition.
Russia, Belan’s home country and the place where he is currently residing, is also part of Interpol but there has been no word so far that he has been arrested.
The FSB officers charged with ordering and facilitating the hacking, Dokuchaev and Suschin, are both in Russia also.
Presumably a trial will begin when all defendants are extradited to the US, however, as three are in Russia, this could take a while.
The Russian connection will certainly raise tensions in the US. Russian state-sponsored hackers were accused of tampering in the recent US presidential election by the CIA and the Trump administration’s closeness to the Russian government has caused concerns.
What does this mean for Yahoo?
After the announcement of the indictment, Yahoo posted a statement expressing its gratitude to the FBI for investigating the crimes and the DoJ for “bringing charges against those responsible.”
The indictment unequivocally shows that attacks on Yahoo were state-sponsored,” said the company.
“We appreciate the FBI’s diligent investigative work and the DOJ’s decisive action to bring to justice to those responsible for the crimes against Yahoo and its users. We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime.”
Yahoo’s reputation has suffered tremendously since the hacks, which occurred during a takeover bid by Verizon. Verizon ended up getting a $350m discount, cutting the final sale price from $4.83bn to $4.48bn.
In addition, it was slated for not disclosing the hacks in the first place. Though the Russian hack happened in 2014, it didn’t disclose the breach until 2016, something Yahoo’s chief executive Marissa Mayer was criticised for.
This week it was announced that Mayer would be leaving the company after its sale to Verizon, with a $23m parting gift.