Investigation confirms Internet company’s suspicions that attack was state sponsored.

U.S. authorities this week charged four men in connection with a cyber attack on Yahoo that compromised the personal data of hundreds of millions users.

Two of the defendants are members of the Russian Federal Security Service (FSB), which confirms Yahoo’s suspicions that it fell victim to a state-sponsored attack.

"The indictment unequivocally shows the attacks on Yahoo were state-sponsored. We are deeply grateful to the FBI for investigating these crimes and the DoJ (Department of Justice) for bringing charges against those responsible," said Chris Madsen, assistant general counsel, and head of global law enforcement, security and safety at Yahoo, in a statement on Wednesday.

According to the DoJ, the men gained unauthorised access to Yahoo’s systems and stole information from at least 500 million accounts, and then used that information to gain unauthorised access to accounts at other Webmail providers, including Google.

Compromised accounts include those held by Russian journalists, U.S. and Russian government officials, and private-sector employees of financial, transportation and other companies, the DoJ said.

"Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable," said acting assistant attorney general Mary McCord.

Three of the men are based in Russia; two are Russian nationals, while one was born in Latvia. The fourth is a Kazakh national living in Canada.

According to the DoJ, the two FSB agents, Dmitry Dokuchaev and Igor Sushchin, directed, facilitated and paid their co-defendants, Alexsey Belan and Karim Baratov, to gain access to Yahoo’s systems.

"The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale," McCord said.

Some of the charges brought against some of the defendants carry maximum sentences of 20 years.

The cyber attack took place in 2014 but was not disclosed by Yahoo until last September, by which point it had agreed to sell its core Internet operations to Verizon for $4.83 billion. In February, Verizon and Yahoo agreed a $350 million discount on the deal, and agreed to share certain legal liabilities stemming from the attack.

"We appreciate the FBI’s diligent investigative work and the DoJ’s decisive action to bring to justice those responsible for the crimes against Yahoo and its users," said Madsen. "We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime."