A massive data leak from an “innocent” delivery app in Russia revealed personal info of thousands of users, including those of Russian secret police agents.
Yandex Food, the food delivery app from the Yandex Group, was used to leak delivery addresses, phone numbers, names, and delivery instructions from 58,000 users, according to Reuters. The data leak was first reported on March 1st as the malicious action of one Yandex Food employee.
The correlations made by Bellingcat researchers following that data leak are most interesting, though. The team managed to identify the person linked to the poisoning of Russian opposition leader Alexey Navalny.
How did they do it? By correlating the phone numbers in the database. The team confirmed their findings when they discovered the work email address used by the individual to register on the app.
Other assets uncovered by Bellingcat are individuals with GRU connections, such as agent Yevgeny and his link to Russia’s Ministry of Foreign Affairs.
The data leak even exposed personal details about the life of President Putin’s former mistress and their alleged “secret” daughter. Russian politician and Navalny supporter, Lyubov Sobol, said: “Thanks to the leaked Yandex database, another apartment of Putin’s ex-mistress Svetlana Krivonogikh was found. That’s where their daughter Luiza Rozova ordered her meals. The apartment is 400 m², worth about 170 million rubles [~$1.98 million USD]!”
And to think that all of these findings were possible due to a delivery app employee!
This definitely puts into perspective the amount of information people are required to leave just to order some food and what can be done with it, if not careful.
In fact, before Yandex Food was under fire, DoorDash made a similar blunder. In the latter’s case, no less than 4.9 million people’s names, emails, phone numbers and addresses were exposed in 2019.