According to the findings of Bellingcat.
Yandex Food, a subsidiary of Russia’s largest internet company, Yandex, first reported the data leak on March 1, accusing it of the “dishonest actions” of one of its employees and noting that the leak did not does not include user login information. Russian communications regulator Roskomnadzor has since threatened to fine the company up to 100,000 rubles (~$1,166) for the leak, which Reuters said exposed the information of about 58,000 users. Roskomnadzor also blocked access to an online map containing the data – an attempt to conceal information from ordinary citizens, as well as those with ties to Russian military and security services.
Researchers from Bellingcat accessed the wealth of information, seeking leads on anyone of interest, such as an individual linked to the poisoning of Russian opposition leader Alexey Navalny. By searching the database for telephone numbers collected as part of a previous survey, Bellingcat discovered the name of the person who was in contact with the Federal Security Service (FSB) of Russia to plan the poisoning of Navalny. Bellingcat says this person also used their work email address to register with Yandex Food, allowing researchers to further verify their identity.
Researchers also reviewed leaked information about phone numbers belonging to people linked to Russia’s Main Intelligence Directorate (GRU) or the country’s foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to link him to the Russian Foreign Ministry and find his vehicle registration information.
Bellingcat discovered valuable information by also searching the database for specific addresses. When researchers searched the GRU headquarters in Moscow, they found only four results – a potential sign that workers are simply not using the delivery app or are choosing to order from restaurants within walking distance instead. When Bellingcat searched for the FSB special operations center in a suburb of Moscow, but returned 20 hits. Several results contained interesting delivery instructions, warning drivers that the delivery location is actually a military base. A user told his driver, “Go up to the three arrow barriers near the blue cabin and call. After the 110 bus stop to the end”, while another said “Territory closed. Go up to the checkpoint. Call [number] ten minutes before your arrival!
Thanks to the merged Yandex database, another apartment of Putin’s ex-lover Svetlana Krivonogikh was found. This is where their daughter Luiza Rozova ordered food. A 400 m² apartment costs about 170 million rubles! https://t.co/z3uGKOdQhc pic.twitter.com/toGXOsFmRY
— Sand Love (@SobolLubov) March 23, 2022
In a translation Tweeter, Russian politician and Navalny supporter Lyubov Sobol said the leaked information even led to additional information about the alleged “secret” daughter and former mistress of Russian President Vladimir Putin. “Thanks to the Yandex database leak, another apartment of Putin’s ex-mistress Svetlana Krivonogikh has been found,” Sobol said. “This is where their daughter Luiza Rozova ordered her meals. The apartment is 400 sq.m., worth about 170 million rubles [~$1.98 million USD]!”
If researchers were able to uncover so much information based on data from a food delivery app, it’s a little baffling to think about how much information Uber Eats, DoorDash, Grubhub and others have about the users. In 2019, a DoorDash data breach exposed the hashed and salted names, email addresses, phone numbers, delivery order details, shipping addresses and passwords of 4.9 million people. — a number far larger than those affected by the Yandex Food leak.