A massive data leak by Russian grocery delivery service Yandex Food revealed the delivery addresses, phone numbers, names and delivery instructions of people linked to Russia’s secret police Bellingcat.
Yandex Food, a subsidiary of the larger Russian internet company Yandex, reported first the data leak on March 1, blaming the “dishonest actions” of one of its employees and noting that the leak does not include user credentials. Russia’s communications regulator Roskomnadzor has since threatened the company with a fine of up to 100,000 rubles (about $1,166) for the leak Reuters says exposed the information of about 58,000 users. Roskomnadzor also blocked access to an online map containing the data in an attempt to hide the information from ordinary citizens as well as those with ties to the Russian military and security services.
researchers at Bellingcat Gained access to the treasure trove of information and searched it for clues to persons of interest, such as B. a person associated with the Poisoning of the Russian opposition leader Alexei Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat revealed the name of the person who was in contact with Russia’s Federal Security Service (FSB) to plan Navalny’s poisoning. Bellingcat says this individual also used their work email address to register with Yandex Food, allowing researchers to further establish his identity.
The researchers also examined the leaked information for the phone numbers of people linked to Russia’s Main Intelligence Directorate (GRU) or the country’s foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to connect him to the Russian Foreign Ministry and find his vehicle registration information.
Bellingcat discovered some valuable information by also searching the database for specific addresses. When the researchers searched for the GRU headquarters in Moscow, they only found four results — a possible sign that employees simply aren’t using the delivery app, or are instead ordering from restaurants within walking distance. When Bellingcat searched for the FSB’s Special Operations Center in a Moscow suburb, but returned 20 results. Several results contained interesting delivery instructions that warned drivers that the delivery location is actually a military base. One user said to his driver: “Go to the three boom barriers near the blue booth and call. After the 110 bus stop to the end,” while another said: “Closed area. Go to the checkpoint. Call [number] ten minutes before you arrive!”
Благодаря слитой базе «Яндекса» нашлась ещё одна квартира экс-любовницы Путина Светланы Кривоногих. Именно туда их дочь Луиза Розова заказывала еду. Квартира 400 m², стоит примерно 170 млн рублей!https://t.co/z3uGKOdQhc pic.twitter.com/tOGXOsFmRY
— Соболь Любовь (@SobolLubov) March 23, 2022
In a translated tweetRussian politician and Navalny supporter Lyubov Sobol said the leaked information even led to additional information about Russian President Vladimir Putin’s alleged “secret” daughter and former lovers. “Thanks to the leaked Yandex database, another apartment of Putin’s ex-lover Svetlana Krivonogikh was found,” Sobol said. “Her daughter Luiza Rozova ordered her food there. The apartment is 400 m² and is worth about 170 million rubles [~$1.98 million USD]!”
When researchers were able to uncover so much information based on data from a grocery delivery app, it’s a little unnerving to think of the amount of information that Uber Eats, DoorDash, Grubhub, and others have about users to have. 2019, a DoorDash data breach exposed the names, email addresses, phone numbers, delivery order details, shipping addresses, and hashed, salted passwords of 4.9 million people — a far larger number than those affected by the Yandex Food leak.
https://www.theverge.com/2022/4/3/23008658/data-leak-russian-delivery-app-dining-habits-secret-police-yandex-food Data leak from Russian delivery app reveals secret police eating habits