The Justice Department dropped a stunner of a document this week that revealed how Russian spies worked with common criminals to strip mine information from millions of Yahoo user accounts. In a 39-page indictment, the government revealed new details about the colossal data breach, plus some bizarre tidbits—like how one of the hackers used the Yahoo (YHOO) information to also push erectile dysfunction drugs.
The unsealed indictment and a press conference by the federal government announcing cyber crime charges against four men explains a lot about who hacked Yahoo and how they did it. But there are still some major questions for which both consumers and investors need answers. Here are five things we have yet to learn:
What about the 1 billion accounts hacked in 2013?
The Justice Department news is about the hack of 500 million accounts—everything from email to fantasy sports services—that took place in 2014, and which Yahoo disclosed in September. The announcement, however, was oddly silent about an even bigger breach of 1 billion accounts that took place in 2013, and which the company disclosed in December.
What’s the story? Was the 2013 hack unrelated to the allegedly state-supported Russian intrusion of 2014? Or is it possible the 2013 attack was also carried out by Russian criminals like the main culprit named in this week’s indictment without government involvement? If the latter theory is correct, it would undercut the argument the Yahoo hack was “state sponsored” in origin—and makes it more likely the hacks are another example of the Kremlin spy machine piggy-backing on the work of cyber-criminals.
Who are the unnamed executives and companies that got hit by the hackers?
The Russian hackers allegedly broke into the Yahoo accounts of senior executives at big U.S. companies, including a major airline and a financial firm. If this is the case, they could have obtained all sorts of sensitive corporate information, especially if (as is not uncommon) the executives used these non-work emails to communicate with key staff.
The indictment also describes how the hackers gained access to the “Yahoo users’ accounts of three different offices of U.S. Cloud Computing Company 1.” Obviously, it’s not possible to know which cloud company this is—it could be anyone from Amazon (YHOO) Web Services to Salesforce to Microsoft (MSFT) to some other firm. But it’s worth noting the infiltration of their executives’ Yahoo accounts could be a stepping stone into breaking into their corporate accounts, and gaining access to information about the cloud company’s customers.
Get Data Sheet, Fortune’s technology newsletter.
Why did the Justice Department announce this now?
There have been leaks for months that the Justice Department was investigating the Yahoo hacks, so the news of the indictment was not a huge surprise. But given how political the topic of Russian hacking has become, it’s worth asking why the agency chose this week to announce it.
It’s possible the timing simply coincides with the end of the investigation. But a person with ties to the Justice Department, who was not authorized to speak for attribution, said the timing may be more deliberate. Specifically, this person said many suspect the Yahoo file have come to the attention of new Attorney General Jeff Sessions, who then pressed to publicize it to show he and the Trump Administration want to take a hard line on Russian hacking.
Who at Yahoo knew about the hacking—and when?
This remains the most burning and sensitive question of all. Since it disclosed the attacks in September, Yahoo has been coy (to put it politely) about what happened. The company has conceded it first learned of the breach in 2014, but it also suggested the matter somehow never reached the level of importance to notify senior management.
CEO Marissa Mayer is sticking to her story that she learned of the attack shortly before everyone else, including <a href="https://fortune.com/2017/02/21/yahoo-verizon-hacking-deal/">Verizon</a> (VZ), which by then had decided to buy the company. And in early March, Mayer basically made Yahoo lawyer Ron Bell the fall guy for the whole incident—a move that was lambasted on social media and by prominent tech journalist Kara Swisher.
If this official account is true, it still doesn’t explain who first learned of the account hacking, and how far up the executive chain the news traveled. This week’s news shed no light on the matter—but it’s a good bet class action lawyers will use the legal discovery process to reveal what actually happened.
What will the SEC do?
The Justice Department’s announcement takes care of the criminal side of the Yahoo breach, even if three of the four hackers are unlikely to ever see a U.S. jail cell, since they are in Russia.
But there is also a second major investigation swirling around the Yahoo incident, one that is reportedly being carried out by the Securities and Exchange Commission. The SEC probe turns on whether the company broke the law by failing to disclose the breach to investors, who were left holding Yahoo shares as news of the disaster trickled out.
The plot became thicker this week as an FBI agent told Ars Technica, “Yahoo was under no government mandate not to tell customers of the breach.” If this other shoe drops, the SEC fallout for Yahoo could be painful.
