Yahoo data breach: FBI accuses four individuals, including Russian intelligence agency employees

The US Federal Bureau of Investigation (FBI) has indicted four individuals for illegally accessing the personal information of Yahoo users starting from 2014 . Two out of the four were agents of the Russian Federal Security Service (FSB) during the time the breach occurred. One of the defendants has a pending red corner notice from Interpol and is on the Cyber Most Wanted list of the FBI. Finally, an accused had privileged access to Yahoo systems, and used that access for personal gain. Yahoo and Google helped the FBI with the investigation.

The accused are Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, both ex employee of the FSB and Russian nationals. Suschin was working undercover as the Head of Information Security at a Russian investment bank. Alexsey Alexseyevich Belan has the pending red corner notice against him and was almost caught in Europe before he managed to escape to Russia, which does not have an extradition treaty with the US. As an Interpol member nation though, Russia is required to arrest Belan. Karim Baratov is a Canadian and Kazakh national, and a resident of Canada.

Attorney General Jeff Sessions, who announced the charges said “Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history. But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”

The accused apparently used unauthorised access to Yahoo systems to steal information of 500 million Yahoo account users. The stolen information was subsequently used to compromise the Gmail accounts of the compromised users, as well as accounts with other email service providers. The targets included Russian journalists and Russian and US government officials. Employees of a prominent Russian cyber-security company, a Russian investment banking firm, a US airline, a Swiss bitcoin wallet provider, and a US financial services firm.

FBI has accused the criminals of stealing a portion of Yahoo’s User Database (UDB), that contained user names, recovery email accounts, phone numbers and information required to authenticate access to the user accounts. The conspirators also obtained access to Yahoo’s Account Management Tool (AMT), a propriety mechanism that Yahoo used to make and log changes to user accounts. The combined access to the UDB and AMT allowed the hackers to forge the authentication mechanisms needed to compromise at least 6,500 accounts.

The hacking campaign started in 2014, and the defendants had access to Yahoo networks till September 2016. However, there is information to indicate that the accused continued to use the compromised data till at least December 2016. Belan redirected a portion of Yahoo’s search engine traffic for a commission, and searched the individual communications for credit card and gift card information. In all 500 million Yahoo accounts were stolen, and the accounts of at least 18 users of other email services were compromised. The contents of 30 million Yahoo accounts were illegally accessed to facilitate a spam campaign.

The attack on Yahoo is the largest known data breach, more than triple the size of other similar breaches. Yahoo had indicated that credit card information was not stolen from its systems, but the criminals seem to have access to credit card information in the communications. Yahoo’s suspicions of the attack being sponsored by a state sponsored actor are supported by the charges filed by the FBI. The data breach was one of the factors that allowed Verizon to negotiate a better deal in its Yahoo takeover.