A massive data leak by Russian grocery delivery service Yandex Food revealed the delivery addresses, phone numbers, names and delivery instructions of people linked to Russia’s secret police Bellingcat.
Yandex Food, a subsidiary of Russia’s larger internet company Yandex, first reported the data leak on March 1, blaming the “dishonest actions” of one of its employees and noting that the leak does not include user credentials. Russia’s communications regulator Roskomnadzor has since threatened the company with a fine of up to 100,000 rubles (about $1,166) for the leak Reuters says exposed the information of about 58,000 users. Roskomnadzor also blocked access to an online map containing the data in an attempt to hide the information from ordinary citizens as well as those with ties to the Russian military and security services.
researchers at Bellingcat Accessed the wealth of information and searched it for leads to interesting individuals, such as a person linked to the poisoning of Russian opposition leader Alexei Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat revealed the name of the person who was in contact with Russia’s Federal Security Service (FSB) to plan Navalny’s poisoning. Bellingcat says this individual also used their work email address to register with Yandex Food, allowing researchers to further establish his identity.
The researchers also examined the leaked information for the phone numbers of people linked to Russia’s Main Intelligence Directorate (GRU) or the country’s foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to connect him to the Russian Foreign Ministry and find his vehicle registration information.
Bellingcat discovered some valuable information by also searching the database for specific addresses. When the researchers searched for the GRU headquarters in Moscow, they only found four results — a possible sign that employees simply aren’t using the delivery app, or are instead ordering from restaurants within walking distance. When Bellingcat searched for the FSB’s Special Operations Center in a Moscow suburb, but returned 20 results. Several results contained interesting delivery instructions that warned drivers that the delivery location is actually a military base. One user said to his driver: “Go to the three boom barriers near the blue booth and call. After the 110 bus stop to the end,” while another said: “Closed area. Go to the checkpoint. Call [number] ten minutes before you arrive!”
Благодаря слитой базе «Яндекса» нашлась ещё одна квартира экс-любовницы Путина Светланы Кривоногих. Именно туда их дочь Луиза Розова заказывала еду. Квартира 400 m², стоит примерно 170 млн рублей!https://t.co/z3uGKOdQhc pic.twitter.com/tOGXOsFmRY
— Соболь Любовь (@SobolLubov) March 23, 2022
In a translated tweet, Russian politician and Navalny supporter Lyubov Sobol said the leaked information even led to additional information about the allegedly “secret” daughter and former lover of Russian President Vladimir Putin. “Thanks to the leaked Yandex database, another apartment of Putin’s ex-lover Svetlana Krivonogikh was found,” Sobol said. “Her daughter Luiza Rozova ordered her food there. The apartment is 400 m² and is worth about 170 million rubles [~$1.98 million USD]!”
When researchers were able to uncover so much information based on data from a grocery delivery app, it’s a little unnerving to think of the amount of information that Uber Eats, DoorDash, Grubhub, and others have about users to have. In 2019, a DoorDash data breach exposed the names, email addresses, phone numbers, delivery order details, shipping addresses, and hashed, salted passwords of 4.9 million people — a far larger number than those exposed by the Yandex leak Food were affected.