A Russian Yandex Food app security breachwhich has led to a large-scale data theft from the service, has exposed the eating habits of several members of the Russian secret police and other security agencies. But not only that: also where they order from, the phone numbers from which they do it, the delivery instructions, and their names. This is stated by the Bellingcat group of researchers, who have been able to extract this data as a result of the analysis of the data obtained that have been leaked on the Internet.
Yandex Food, a subsidiary of Russia’s leading Internet company, Yandex, acknowledged that it had suffered a leak on March 1, which it blamed on “dishonest actions» of one of its employees, and ensuring that the leak did not include the connection information to its users’ accounts. Since then, the Russian communications regulator, Roskomnadzor, has threatened to fine the company up to 100,000 rubles, or just over $1,150, for the leak.
In total, according to Reuters, the leak exposed the data of 58,000 users of the service, which was exposed on a map, to which Roskomnadzor blocked access to try to hide the information from ordinary citizens, apparently. But surely what interested him most was not that, but to hide the data of people related to the security services and the Russian army that appeared on the map.
Bellingcat researchers have gained access to the leaked data, combing through it for clues and details of relevant people. And they have found them. One of the individuals they have located is linked to the poisoning of Russian opposition leader Alñexei Navalny. Searching the various database phone numbers they had obtained in a previous investigation, members of Bellingcat tracked down the name of the person who was in contact with Russia’s Federal Security Service, the FSB, to plan the poisoning of Navalny. According to the investigators, this person used her work email address to register with Yandex Food, which has ensured her identity.
On the other hand, after examining the leaked information and crossing it with the telephone numbers they have in Bellingcat of individuals related to the main directorate of Russian intelligence, the GRU, that is, the country’s Foreign Military Intelligence Agency. Investigators discovered the name of one of his agents, Yevgeny, and were able to link him to the Russian Foreign Ministry and find his vehicle registration information.
bellingcat too matched the leaked data with specific physical addresses. Thus, when they searched for the GRU headquarters in Moscow, they discovered only four results, which is a sign that their employees do not use the app, or prefer to order in restaurants that are within walking distance of the headquarters. But when they searched for the address of the FSB Special Operations Center in a Moscow suburb, they got 20 hits. Some contained interesting delivery instructions, alerting delivery men that the delivery address is a military base. A couple told their delivery men instructions to call each other before arriving to pick up the order at a point outside the Center.
On the other hand, a Russian politician in favor of Navalny, Lyubov Sobol, has assured that the leaked information has even led to information about one of Vladimir Putin’s former lovers, as well as an alleged secret daughter. Among them, her name, her address and details of the home from where the orders were made.
In view of this, the data that any food delivery app stores can be quite juicy for researchers or people with bad intentionsas seen in 2019 with a data breach of the DoorDash delivery app, which exposed names, email addresses, phone numbers, delivery addresses and passwords, encrypted, of 4.9 million people, many more than those affected by this Yandex Food leak, which can give an idea of the information that it was able to offer to third parties.