A massive data leak from Russian food delivery service Yandex Food revealed the delivery addresses, phone numbers, names and delivery instructions belonging to those associated with Russia’s secret police, according to findings from rattle cat.
Yandex Food, a subsidiary of Russia’s largest Internet company Yandex, first reported the data leak on March 1, blaming it on the “dishonest actions” of one of its employees and pointing out that the leak does not include users’ login information. Russian communications regulator Roskomnadzor has since threatened to fine the company up to 100,000 rubles (~1,166 USD) for the leak, which Reuters says exposed the information of some 58,000 users. Roskomnadzor also blocked access to an online map containing the data, an attempt to hide the information from ordinary citizens, as well as those with ties to the Russian military and security services.
researchers in rattle cat He gained access to the trove of information, sifting through it for clues about anyone of interest, such as a person linked to the poisoning of Russian opposition leader Alexei Navalny. By searching the database for phone numbers collected as part of a previous investigation, rattle cat discovered the name of the person who was in contact with the Russian Federal Security Service (FSB) to plan the poisoning of Navalny. rattle cat says this person also used his work email address to sign up for Yandex Food, which allowed investigators to further determine his identity.
Investigators also examined leaked information on phone numbers belonging to people linked to Russia’s Main Intelligence Directorate (GRU) or the country’s foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to link him to the Russian Foreign Ministry and find his vehicle registration information.
rattle cat discovered valuable information by searching the database for specific addresses as well. When the researchers searched for the GRU headquarters in Moscow, they found just four hits, a potential sign that workers are simply not using the delivery app or opting to order from restaurants within walking distance. When rattle cat searched the FSB Special Operations Center in a Moscow suburb, however, it returned 20 results. Several results contained interesting delivery instructions, warning drivers that the delivery location is actually a military base. One user told his driver: “Go up to the three barriers near the blue booth and call. After the 110 bus stop to the end”, while another said “Closed territory. Go up to the checkpoint. Call [number] ten minutes before you arrive!
Благодаря слитой базе «Яндекса» нашлась ещё одна квартира экс-любовницы Путина Светланы Криво Именно туда их дочь Луиза Розова заказывала еду. Room 400 m², apartment for rent 170 million euros!https://t.co/z3uGKOdQhc pic.twitter.com/tOGXOsFmRY
— Соболь Любовь (@SobolLubov) March 23, 2022
in a translated cheepRussian politician and Navalny supporter Lyubov Sobol said the leaked information even led to additional information about Russian President Vladimir. The alleged “secret” daughter of Putin and former lover. “Thanks to the leaked Yandex database, another apartment of Putin’s ex-lover Svetlana Krivonogikh was found,” Sobol said. “That’s where her daughter Luiza Rozova ordered her meals. The apartment is 400 m², valued at about 170 million rubles. [~$1.98 million USD]!”
If researchers were able to uncover so much information based on data from a food delivery app, it’s a bit disconcerting to think about how much information Uber Eats, DoorDash, Grubhub and others have on users. In 2019, a DoorDash data breach exposed the names, email addresses, phone numbers, delivery order details, delivery addresses, and salted-encrypted passwords of 4.9 million people, a far greater number than those affected in the Yandex Food leak.