The U.S. Federal Bureau of Investigation has charged four people, including two Russian state intelligence agents, for their involvement in a massive hack of Yahoo that affected half a billion accounts.
In September, Yahoo said hackers had managed to steal personal data on more than 500 million users during an attack in late 2014. The stolen data included names, email addresses, telephone numbers and hashed passwords. Blame for the attack was put on a "state-sponsored" group.
On Wednesday, the FBI said that group was the Russian Federal Security Service, the FSB, and it identified agents Dmitry Dokuchaev and Igor Sushchin as leaders of the attack.
The Russian agents paid two criminal hackers, Alexsey Belan and Karim Baratov, to break into the Yahoo accounts and then steal information that could be used to further compromise other accounts, according to the FBI.
The hackers specifically targeted the Yahoo accounts of Russian and U.S. government officials, including those involved with cybersecurity, Russian journalists and financial services companies, the FBI said.
But they also attacked the accounts of regular users, looking for things like credit card numbers and gift cards that they could cash in.
"The FSB used hackers to gain information, some of which had intelligence value, but in doing so the criminal hackers used this opportunity to line their own pockets for financial gain," said Mary McCord, acting assistant attorney general, during a Washington, D.C., news conference.
Three of those named are at large but one, Baratov, was arrested in Canada on Tuesday on a U.S. warrant. The other alleged criminal hacker, Belan, has been charged twice before in the U.S.
The U.S. has requested that Interpol issue red notices for those at large, but unless the Russian government decides to cooperate they could easily remain beyond the arm of international law.
However, the U.S. government has a number of tools at its disposal including diplomatic and trade sanctions that could be used to pressure or punish Russia.
The hack was just one of two massive data breaches suffered by Yahoo. A second, disclosed in December, was even bigger, affecting a billion accounts. It included much of the same information but also birth dates. The passwords stolen in this hack were obfuscated in MD5, an old algorithm that can be hacked. Yahoo blamed the larger breach on an "unauthorized third party."
Russian state security has been blamed for a series of hacks including the high profile attack on the Democratic National Committee during the recent U.S. election. McCord said Wednesday's indictment does not allege any links between the Yahoo hack and the DNC hacks.