A massive data breach by Russian food delivery service Yandex Food has revealed delivery addresses, phone numbers, names and delivery instructions belonging to ties to Russia’s secret police, according to findings from Bellingcat†
Yandex Food, a subsidiary of the larger Russian internet company Yandex, first reported the data breach on March 1, accusing it of the “dishonest actions” of one of its employees and noting that the leak does not contain user credentials. Russian communications regulator Roskomnadzor has since threatened to fine the company 100,000 rubles (~$1,166 USD) for the leak. Reuters says it is exposing the information of about 58,000 users. The Roskomnadzor also blocked access to an online map containing the data – an attempt to hide information from ordinary citizens, as well as those with ties to the Russian military and security services.
Researchers at Bellingcat accessed the wealth of information and looked for clues about individuals of interest, such as a person linked to the poisoning of Russian opposition leader Alexey Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat revealed the name of the person who had contact with the Russian Federal Security Service (FSB) to plan Navalny’s poisoning. Bellingcat says this person also used his business email address to register with Yandex Food so that investigators can further discover his identity.
Investigators also examined the leaked information on the phone numbers of individuals associated with Russia’s Main Intelligence Directorate (GRU), or the country’s foreign military intelligence service. They found the name of one of these agents, Yevgeny, and were able to link him to the Russian Foreign Ministry and find his vehicle registration details.
Bellingcat discovered valuable information by also searching the database for specific addresses. When researchers searched GRU’s headquarters in Moscow, they found only four results — a possible sign that employees simply aren’t using the delivery app, or are choosing to order from restaurants within walking distance instead. When Bellingcat searched for the FSB’s special operations center in a Moscow suburb, but returned 20 results. Several results contained interesting delivery instructions, warning drivers that the delivery location is actually a military base. One user told his driver: “Go to the three barriers by the blue cab and call. After the stop for bus 110 to the end”, while another said “Closed area. Go to the checkpoint. Phone call [number] ten minutes before you arrive!”
агодаря слитой базе «Яндекса» нашлась ещё одна квартира экс-любовницы Путина Светланы Кривоногих. енно туда их очь Луиза Розова заказывала еду. артира 400 ², стоит примерно 170 ей!https://t.co/z3uGKOdQhc pic.twitter.com/tOGXOsFmRY— оболь овь (@SobolLubov) March 23, 2022
in a translated tweetRussian politician and Navalny supporter Lyubov Sobol said the leaked information even led to additional information about the alleged “secret” daughter and former mistress of Russian President Vladimir Putin. “Thanks to the leaked Yandex database, another apartment belonging to Putin’s ex-mistress Svetlana Krivonogikh was found,” Sobol said. ‘There their daughter Luiza Rozova ordered her meals. The apartment is 400 sqm, worth about 170 million rubles [~$1.98 million USD]†
When researchers were able to uncover so much information based on data from a food delivery app, it’s a little unnerving to think about the amount of information Uber Eats, DoorDash, Grubhub and others have about users. In 2019, a DoorDash data breach uncovered the names, email addresses, phone numbers, delivery order details, delivery addresses and the hashed, salted passwords of 4.9 million people — a much larger number than those affected by the Yandex Food leak.