A massive data leak that has revealed the delivery addresses, phone numbers, names, and delivery instructions belonging to those associated with Russia’s secret police has surfaced online. According to reports, the leak belongs to a Russian food delivery service Yandex Food.
Yandex Food is a food delivery service that offers services to multiple cities in Russia, it’s also a subsidiary of the larger Russian internet company, Yandex. The data leak was first reported by the company on March 1st, an action blamed on dishonest employees. The company noted that the leak was void of users’ login information. According to reports, the Russian communications regulator Roskomnadzor has since threatened to fine the company up to the tune of $1,166 USD for the leak which exposed about 58,000 users’ information. The Roskomnadzor in an attempt to conceal the information of ordinary citizens, as well as those with ties to the Russian military and security services has also taken action by blocking access to an online link containing such data.
According to The Verge, access to the trove of information was gotten by Researchers at Bellingcat, after sifting through it for leads on any people of interest, such as an individual linked to the poisoning of Russian opposition leader Alexey Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat uncovered the name of the person who was in contact with Russia’s Federal Security Service (FSB) to plan Navalny’s poisoning. Bellingcat says this person also used his work email address to register with Yandex Food, allowing researchers to further ascertain his identity.
Further examination of the leaked information by Bellingcat researchers has also unravelled the phone numbers belonging to individuals tied to Russia’s Main Intelligence Directorate (GRU), or the country’s foreign military intelligence agency. The researchers were able to find the name of one of these agents, Yevgeny, and were also able to link him to Russia’s Ministry of Foreign Affairs as well as find his vehicle registration information.
Valuable information continues to surface as search efforts on the database for specific addresses are ongoing. In the GRU headquarters in Moscow that was combed by these researchers, four revelations have emerged. Some of this revelation is a potential sign that workers don’t make use of the delivery app, or opt to order from restaurants within a walking distance instead. While Bellingcat searched for FSB’s Special Operation Center in a Moscow suburb, 20 results were however yielded. Several results contained interesting delivery instructions, warning drivers that the delivery location is actually a military base. One user told their driver “Go up to the three boom barriers near the blue booth and call. After the stop for bus 110 up to the end,” while another said “Closed territory. Go up to the checkpoint. Call [number] ten minutes before you arrive!”
A tweet by Russian politician and Navalny supporter, Lyubov Sobol, has revealed that the leaked information has led to the discovery of additional information about Russian President Vladimir Putin’s former mistress and their alleged “secret” daughter. Sobol further revealed that “Thanks to the leaked Yandex database, another apartment of Putin’s ex-mistress Svetlana Krivonogikh was found.” Sobol said. “That’s where their daughter Luiza Rozova ordered her meals. The apartment is 400 m², worth about 170 million rubles which is the equivalent of about $1.98 million.”
Many have wondered if this much information was uncovered as a result of a data leak from just one food delivery app, one can only wonder the amount of information Uber Eats, DoorDash, Grubhub, and many others would have on various users. In 2019, DoorDash reported a similar data breach that exposed the names, email addresses, phone numbers, delivery order details, delivery addresses, and the hashed, salted passwords of close to 4.9 million people, a much larger number compared to the numbers of the Yandex Food leak.