According to The Verge, according to Bellingcat's findings, a massive data leak by Russian food delivery platform Yandex Food exposed delivery addresses, phone numbers, names and delivery instructions belonging to those linked to Russia's secret police.
Yandex Food, a subsidiary of Yandex, a large Russian internet company, first reported the data breach on March 1, blaming it on "dishonesty" by one of its employees, noting that the leak did not include the user's login information. Russian communications regulator Roskomnadzor has since threatened to fine the company up to 100,000 rubles for the leak, which Reuters said exposed information about 58,000 users. Roskomnadzor also blocked access to online maps containing the data — in an attempt to mask information about ordinary citizens and people with ties to the Russian military and security services.
Bellingcat's researchers were given access to an information base in which to sift through clues to anyone interested, such as individuals linked to the poisoning of Russian opposition leader Alexei Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat discovered the names of people who had contacted the Russian Federal Security Service (FSB) to plot naval poisoning. Bellingcat said the man was also registered with Yandex Food with his work email address, allowing researchers to further determine his identity.
The researchers also examined the phone numbers of individuals belonging to russia's military intelligence agency (GRU) or the country's foreign military intelligence agencies in the leaked information. They discovered the name of one of the agents, Yevgeny, and were able to link him to the Russian Foreign Ministry to find his vehicle registration information.
Bellingcat also found some valuable information by searching for specific addresses in the database. When the researchers looked for THE RU headquarters in Moscow, they found only four results — a potential sign that workers didn't use the takeout app, or chose to order from restaurants within walking distance. However, when Bellingcat searched the FSB's special operations center on the outskirts of Moscow, it produced 20 results. Several results contain interesting delivery instructions, warning drivers that the delivery location is actually a military base. One user told their driver: "Call on three boom obstacles near the blue pavilion. After the platform of the 110 bus to the end," said another person " closed the territory. Go up to the checkpoint. Dial (number) ten minutes before you arrive"!
Russian politician and Navalny supporter Lyubov Sobol said in a translated tweet that the leaked information even led to additional information about Russian President Vladimir Putin's so-called "secret" daughter and former mistress. "As a result of the leaked Yandex database, another apartment of Putin's former mistress Svetlana Krivnojih was discovered," Sobol said. That's where their daughter Luiza Rozova ordered food. The apartment measures 400m2 and is worth about 170 million rubles! ”
The Verge notes that if researchers can find so much information based on data from a food delivery app, it's a little troubling to think about the amount of user information that Uber Eats, DoorDash, Grubhub, and other companies have. In 2019, the DoorDash data breach exposed 4.9 million people's names, email addresses, phone numbers, takeaway order details, shipping addresses, and more — a number that was far more than those affected in the Yandex Food breach.