Two Russian men convicted of their involvement in a massive hack of the Nasdaq stock exchange, Citibank, and other major companies have been given hefty sentences

The two men, Vladimir Drinkman and Dmitriy Smilianets, pleaded guilty in 2015. On Wednesday, Drinkman was sentenced to 144 months, while Smilianets was given 51 months.

Back in 2013, five men were indicted on federal charges. They were accused of, among other things, trading text strings that exploited SQL-injection vulnerabilities in the victim companies' websites to obtain login credentials and other sensitive data and installing malware that gave them persistent backdoor access to the networks. The breaches resulted in losses worth hundreds of millions of dollars via fraudulent ATM withdrawals. The scheme lasted from 2005 until 2012.

According to federal prosecutors, Smilianets was in charge of sales of the card dumps. He sold the data only to trusted wholesalers, charging approximately $10 for each stolen American credit card number and associated data, while European credit card numbers and their related data went for around $50.

"Drinkman and Smilianets not only stole over 160 million credit card numbers from credit card processors, banks, retailers, and other corporate victims, they also used their bounty to fuel a robust underground market for hacked information," said acting Assistant Attorney General John Cronan in a statement

"While mega breaches like these continue to affect millions of individuals around the world, hackers and would-be hackers should know that the Department of Justice will use all available tools to identify, arrest, and prosecute anyone who attacks the networks on which businesses and their customers rely."

As Ars reported in 2013, the fact that the defendants were able to pierce company defenses using SQL injection exploits isn't surprising. Despite being one of the oldest type of website attacks, the vulnerabilities that make them possible are common. Retailer sites are on the receiving end of about twice as many such attacks as sites in other industries, according to a report by security firm Imperva.

Federal authorities say that three remaining defendants remain at large. They are Roman Kotov of Moscow; Mikhail Rytikov, 26, of Odessa, Ukraine; and Aleksandr Kalinin of St. Petersburg, Russia.