Yandex Food's Data Gets Leaked, Russian Secret Service Habits Are Revealed, Including Putin's Lover's House

Yandex Food data leaked, Russian agent's habit of ordering food was exposed. (photo: doc. yandex)

JAKARTA - A massive data leak has occurred in the Russian food delivery service Yandex Food. The leak has revealed delivery addresses, phone numbers, names, and shipping instructions belonging to those associated with the Russian secret police. This finding was reported by Bellingcat.

Yandex Food, a subsidiary of Russian internet company Yandex, first reported the data leak on March 1. They blamed "dishonest actions" on one of its employees and noted that the leak did not include user login information.

Russia's communications regulator Roskomnadzor has since threatened to fine the company up to 100.000 rubles (IDR 16.7 million) for the leak. According to a Reuters report, the leak revealed information from about 58.000 users.

Roskomnadzor also blocked access to online maps containing data. This is an attempt to hide the information of ordinary citizens, as well as those with ties to the Russian military and security services.

Researchers at Bellingcat gained access to a collection of information, sifting through it for clues about people of interest. Take, for example, the individual linked to the poisoning of the leader of the Russian opposition, Alexey Navalny.

By searching a database for phone numbers collected as part of previous investigations, Bellingcat found the names of people connected to Russia's Federal Security Service (FSB) for plotting to poison Navalny.

Bellingcat said this person also used his work email address to register with Yandex Food, which allowed researchers to further confirm his identity.

Благодаря слитой базе «Яндекса» нашлась ещё одна квартира экс-любовницы Путина Светланы Кривоногих. Именно туда их дочь Луиза Розова заказывала еду. Квартира 400 м², стоит примерно 170 млн рублей!https://t.co/z3uGKOdQhc pic.twitter.com/tOGXOsFmRY

— Соболь Любовь (@SobolLubov) March 23, 2022

Researchers also examined leaked information for phone numbers belonging to individuals linked to Russia's Main Intelligence Directorate (GRU), or the country's foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to link him with the Russian Foreign Ministry and find the registration information of the vehicle.

Bellingcat found some valuable information by searching the database for specific addresses as well. When the researchers searched the GRU headquarters in Moscow, they found only four results. This is a potential sign that workers are not using delivery apps, or are choosing to order from restaurants within walking distance.

However, when Bellingcat searched the FSB Special Operations Center on the outskirts of Moscow, it came up with 20. Some of the results contained interesting delivery instructions, warning drivers that the delivery location was actually a military base.

One user told their driver, “Go up to the three boom barriers near the blue booth and phone. After stopping for the 110 bus to the end," while another said, "The area is closed. Go up to the checkpoint. Call [number] ten minutes before you arrive!”

In a translated tweet, Russian politician and Navalny supporter, Lyubov Sobol, said the leaked information even led to additional information about Russian President Vladimir Putin's ex-girlfriend and their alleged "secret" daughter. "Thanks to the leaked Yandex database, another apartment of former Mrs. Putin Svetlana Krivonogikh was found," Sobol said. “That's where their daughter Luiza Rozova orders her food. This apartment measures 400 m², worth about 170 million rubles (IDR 28.4 billion)!”

If researchers can uncover this much information based on data from food delivery apps, it's a little scary to think about the amount of information Uber Eats, DoorDash, Grubhub and others have about users.

In 2019, the DoorDash data breach exposed the names, email addresses, phone numbers, delivery order details, shipping addresses, and hashed passwords, of 4.9 million people. This is a much larger number than those affected by the Yandex Food leak.