(CN) – A Canadian hacker will face five years in prison for his part in one of the largest data breaches in history, a federal judge ruled Tuesday.
In addition to the prison sentence, U.S. District Court Judge Vince Chhabria also fined Karim Baratov $250,000 for his role in the Yahoo data breach, which was directed by Russian spies and successfully compromised the accounts of 500 million users.
“The sentence imposed reflects the seriousness of hacking for hire,” Acting U.S. Attorney for the Northern District of California, Alex Tse, said in a statement. “Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them. These hackers are not minor players; they are a critical tool used by criminals to obtain and exploit personal information illegally. In sentencing Baratov to five years in prison, the Court sent a clear message to hackers that participating in cyber attacks sponsored by nation states will result in significant consequences.”
Law enforcement officials say the Russian Federal Security Service – Russia’s domestic law enforcement and intelligence agency – hired Baratov, a 23-year-old resident of Canada who is fluent in Russian.
Baratov pleaded guilty last November, admitting to accessing more than 11,000 Yahoo accounts over a seven-year period beginning in 2010.
Baratov advertised his hacking prowess via a series of Russian-language hacker-for-hire websites hosted throughout the world. In his plea, Baratov admitted he typically “spearfished” his victims, tricking them into providing their usernames and passwords by sending them pages that appeared to be generated by Google, Yahoo and other legitimate sources.
Once he obtained victims’ usernames and passwords, he sent screenshots to his counterparts in Russia for payment.
Baratov’s indictment is only peripherally related to the overall Yahoo data breach, which first occurred in August 2013 and affected all 3 billion users, according to the company. Another hack, occurring in 2014, impacted 500 million users.
The two hacks, both disclosed by Yahoo in 2016, account for the largest data breach in history.
The company faces numerous lawsuits, with plaintiffs saying Yahoo failed to do enough to protect their private information.
Baratov’s co-conspirators — Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43 — have also been indicted but remain at large in Russia.
The U.S. Attorney’s Office for the Northern District of California prosecuted the case.