Two of the men, Dmitry Dokuchaev and Igor Sushchin, are officers at Russia’s secretive Federal Security Service who protected, directed, facilitated, and paid others to collect information through computer intrusions in the U.S. and elsewhere, authorities said.

Authorities said the two men worked with co-conspirators Alexsey Belan and Karim Baratov to hack into computers of American companies providing email and internet-related services.

Mr. Baratov, a Canadian and Kazakh national, was taken into custody on Tuesday in Canada, authorities said. The other men are believed to be in Russia. There is no extradition treaty between Russia and the U.S., so US authorities would only be able to get them in custody if they travel overseas to another country that is willing to send them to the US.

The Kremlin didn’t respond to a request for comment.

The men used unauthorised access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts, starting in January 2014, according to the indictment. They then used some of that stolen information to obtain unauthorised access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, US and Russian government officials and private-sector employees of financial, transportation and other companies, the Justice Department said in a statement Wednesday.

Other personal accounts belonged to employees of commercial entities, such as a Russian investment banking firm, a French transportation company, US financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a US airline, the Justice Department said.

“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,”

Yahoo last year had linked its 2014 breach to “state-sponsored” hackers. Yahoo’s servers also were compromised by hackers in a separate incident in 2013, which the company said led to data on more than 1 billion accounts being stolen.

The hacking incidents at Yahoo, both among the largest-ever reported thefts of personal data, presented a major stumbling block to Verizon Communications Inc.’s efforts to acquire Yahoo’s core business assets. Yahoo disclosed both breaches months after Verizon made its initial bid on the internet company in July 2016. Last month, the companies revised the terms of their deal, with Verizon now paying $4.5 billion — a $350 million price reduction — and both companies agreeing to split any future costs related to the breaches.

Yahoo executives were apparently unaware of the 2013 breach until December of last year, but the company knew of the 2014 incident soon after it occurred. It is unclear why Yahoo waited approximately two years to disclose that breach, and this delay is now the subject of an investigation by federal authorities, including the Securities and Exchange Commission.

Last month, Yahoo’s top lawyer, Ronald Bell, resigned in the wake of the hacks, and Yahoo’s board elected not to award Chief Executive Marissa Mayer her 2016 cash bonus and accepted her offer to forgo her 2017 equity awards.

A Yahoo board investigation blamed the mishandling of the hacking incident on “failures in communication, management, inquiry and internal reporting” and a “lack of proper comprehension,” the company said in an SEC filing earlier this month.

More related stories

Wall Street Journal

When play is not a game

Apparent addiction to video games may be hiding other issues.

Read more

Wall Street Journal

Xi’s China fills void left by US

Moves in Europe highlight America’s fading influence.

Read more