A massive data leak from Russian food delivery service Yandex Food revealed the delivery addresses, phone numbers, names, and delivery instructions belonging to those associated with Russia’s secret police, according to findings from Bellingcat.
Yandex Food, a subsidiary of the larger Russian internet company, Yandex, first reported the data leak on March 1st, blaming it on the “dishonest actions” of one of its employees and noting that the leak doesn’t include users’ login information. Russian communications regulator Roskomnadzor has since threatened to fine the company up to 100,000 rubles (~$1,166 USD) for the leak, which Reuters says exposed the information of about 58,000 users. The Roskomnadzor also blocked access to an online map containing the data — an attempt to conceal the information of ordinary citizens, as well as those with ties to the Russian military and security services.
Researchers at Bellingcat gained access to the trove of information, sifting through it for leads on any people of interest, such as an individual linked to the poisoning of Russian opposition leader Alexey Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat uncovered the name of the person who was in contact with Russia’s Federal Security Service (FSB) to plan Navalny’s poisoning. Bellingcat says this person also used his work email address to register with Yandex Food, allowing researchers to further ascertain his identity.
Researchers also examined the leaked information for the phone numbers belonging to individuals tied to Russia’s Main Intelligence Directorate (GRU), or the country’s foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to link him to Russia’s Ministry of Foreign Affairs and find his vehicle registration information.
Bellingcat uncovered some valuable information by searching the database for specific addresses as well. When researchers looked for the GRU headquarters in Moscow, they found just four results — a potential sign that workers just don’t use the delivery app, or opt to order from restaurants within walking distance instead. When Bellingcat searched for FSB’s Special Operation Center in a Moscow suburb, however, it yielded 20 results. Several results contained interesting delivery instructions, warning drivers that the delivery location is actually a military base. One user told their driver “Go up to the three boom barriers near the blue booth and call. After the stop for bus 110 up to the end,” while another said “Closed territory. Go up to the checkpoint. Call [number] ten minutes before you arrive!”
In a translated tweet, Russian politician and Navalny supporter, Lyubov Sobol, said the leaked information even led to additional information about Russian President Vladimir Putin’s former mistress and their alleged “secret” daughter. “Thanks to the leaked Yandex database, another apartment of Putin’s ex-mistress Svetlana Krivonogikh was found,” Sobol said. “That’s where their daughter Luiza Rozova ordered her meals. The apartment is 400 m², worth about 170 million rubles [~$1.98 million USD]!”
If researchers were able to uncover this much information based on data from a food delivery app, it’s a bit unnerving to think about the amount of information Uber Eats, DoorDash, Grubhub, and others have on users. In 2019, a DoorDash data breach exposed the names, email addresses, phone numbers, delivery order details, delivery addresses, and the hashed, salted passwords of 4.9 million people — a much larger number than those affected in the Yandex Food leak.