Yahoo's massive hack blamed on Russian spies

A mix of spies and criminals are allegedly behind the second largest online breach in history.

With more than 1 billion active users, Yahoo had been a prime target for Russian spies and cyber criminals. Russian spies involved with the massive breach from 2014 wanted dirt on politicians, while hackers for hire scavenged through the spoils for profits.

The Department of Justice said on Wednesday that it had charged four hackers responsible for the second largest breach in history, which Yahoo revealed last September.

The state-sponsored hackers in Russia and Canada were hit with wire fraud, trade secret theft and economic espionage charges.

Two of the hackers were Russian spies under the Federal Security Service -- the country's equivalent of the US's FBI, while the others were identified as hired criminals.

Karim Baratov, one of the hackers based in Canada, was arrested on Tuesday, while the other three Russian hackers could be protected from a complicated extradition process.

"There are no free passes for foreign state sponsored criminal behavior," said Mary McCord, the acting assistant attorney general during a press conference on Wednesday.

The two year investigation from the FBI's San Francisco branch accused Russian spies Dmitry Dokuchaev and Igor Sushchinof of helping break into Yahoo to steal information from US government officials, Russian dissidents and journalists.

The Russian spies allegedly left Baratov and hacker-for-hire Aleksey Belan the spoils, letting the two cybercriminals use the emails for profit. The Yahoo breach is the largest hacking case ever handled by the US.

Belan is already one of the FBI's most wanted cyber criminals, with the agency offering a $100,000 reward for his arrest. The FBI accused Belan of hacking into three major e-commerce companies between 2012 and 2013, where he allegedly stole millions of accounts and sold the information. He was also sanctioned by the Obama administration in relations to Russian hackers meddling with the 2016 election.

"Belan used his access to Yahoo to search for and steal financial information such as gift cards and credit card numbers from user's email accounts," McCord said.

The four hackers used "a variety of techniques" to amass its stash of hacked accounts, FBI assistant director Paul Abbate said. It included spear phishing, registering thousands of fake emails to fool users, and downloading malware on Yahoo's network.

Tensions over cybersecurity continue to rise between Russia and the US, with spies accused of hacking the Democratic National Committee and the FBI investigating cyberattacks on the presidential campaign.

The indictments offer a tiny measure of closure for Yahoo, which has wrestled with the revelation of mounting security breaches over the last several months. When Yahoo disclosed the 2014 hack in September, it was deemed the worst cyberattack ever. But three months later, the company outdid itself by disclosing a separate incident from 2013 that left 1 billion -- yes, billion -- accounts exposed.

Yahoo described the 2014 breach as a "state-sponsored" attack, but did not specify from what country. While financial data and clear text passwords were safe, names, email address, phone numbers, birth dates, encrypted passwords, and in some cases, security questions and answers, were stolen in the breach.

"The indictment unequivocally shows the attacks on Yahoo were state-sponsored," Chris Madsen, Yahoo's head of security and safety said in a blog post. "We are deeply grateful to the FBI for investigating these crimes and teh DOJ for bringing charges against those responsible."

Yahoo told lawmakers in a letter on February 23 that the company was working with US and foreign governments to help find the hackers responsible for the 2014 attack. The company also hired forensic firms Stroz Friedberg and Mandiant to investigate both breaches.

The controversy surrounding Yahoo's hacks also cost the company $350 million in its sale to Verizon. The telecommunications giant had plans to buy Yahoo's core internet business -- like Yahoo Mail or Yahoo Finance -- for $4.83 billion, but dropped the price to $4.48 billion in February.

Verizon did not respond to requests for comments.

As part of the reorganized deal, Verizon agreed to share the legal and regulatory burdens from the hacks, but Yahoo will have to handle any shareholder lawsuits on its own. Yahoo will also pay half for any non-Securities and Exchange Commission investigations and lawsuits related to the hacks.