The US government has unsealed charges against two Russian spies and two criminal hackers for allegedly pilfering 500 million Yahoo user accounts in 2014.
The indictments represent the first time the US government has criminally charged Russian officials for cyber offences.
The contents of at least 30 million accounts were accessed as part of a spam campaign and at least 18 people who used other internet service providers, such as Google, were also victimised, the government said.
The officers of the FSB, Russia’s Federal Security Service, which is a successor to the KGB, were identified as Dmitry Dokuchaev and his superior, Igor Sushchin.
Both men are in Russia, the government said.
Alexsey Belan, who is on the list of most-wanted cyber criminals, and Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, were also named in the indictment.
The Justice Department said Baratov was arrested in Canada on Tuesday and his case is pending with Canadian authorities.
Belan was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the Justice Department.
"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale,” said acting assistant attorney general Mary McCord.
McCord said the hacking campaign was waged by the FSB to collect intelligence but that the two hackers used the collected information as an opportunity to "line their pockets."
The United States does not have an extradition treaty with Russia, but McCord said she was hopeful Russian authorities would cooperate in bringing criminals to justice.
The United States often charges cyber criminals with the intent of deterring future state-sponsored activity.
The administration of former President Barack Obama brought similar charges against Chinese and Iranian hackers who have not been extradited.
The 47-count indictment includes conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud, and aggravated identify theft.
The charges are not related to the hacking of Democratic Party emails during the 2016 US presidential election. Intelligence agencies have said they were carried out by Russia to help the campaign of Republican candidate Donald Trump.
Yahoo said when it announced the then-unprecedented breach last September that it believed the attack was state-sponsored, and today the company said the indictment "unequivocally shows" that to be the case.
Yahoo in December also announced a breach that occurred in 2013 affecting one billion accounts, though it has not linked that intrusion to the one in 2014.
The Russian hacking conspiracy, which began as early as 2014, allowed Belan to use his relationship with the Russian spy agency and access to Yahoo's network to engage in financial crimes, according to the indictment.
The breaches were the latest in a series of setbacks for the internet pioneer, which has fallen on hard times in recent years after being eclipsed by younger, fast-growing rivals including Google and Facebook.
Yahoo’s disclosure of the years-old cyber invasions and its much-criticised slow response forced it to accept a discount of US$350 million in what had been a US$4.83 billion deal to sell its main assets to Verizon.
Shares of Yahoo were down 0.9 percent.
"We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cyber crime," Chris Madsen, Yahoo's assistant general counsel, said in a statement.