Data leak from Russian delivery app shows dining habits of the secret police

An enormous information leak from Russian meals supply service Yandex Meals revealed the supply addresses, telephone numbers, names, and supply directions belonging to these related to Russia’s secret police, in keeping with findings from Bellingcat.

Yandex Meals, a subsidiary of the bigger Russian web firm, Yandex, first reported the info leak on March 1st, blaming it on the “dishonest actions” of one in all its staff and noting that the leak doesn’t embody customers’ login data. Russian communications regulator Roskomnadzor has since threatened to tremendous the corporate as much as 100,000 rubles (~$1,166 USD) for the leak, which Reuters says uncovered the data of about 58,000 customers. The Roskomnadzor additionally blocked entry to a web-based map containing the info — an try to hide the data of bizarre residents, in addition to these with ties to the Russian army and safety companies.

Researchers at Bellingcat gained entry to the trove of data, sifting by means of it for leads on any folks of curiosity, akin to a person linked to the poisoning of Russian opposition chief Alexey Navalny. By looking out the database for telephone numbers collected as a part of a earlier investigation, Bellingcat uncovered the identify of the one that was involved with Russia’s Federal Safety Service (FSB) to plan Navalny’s poisoning. Bellingcat says this particular person additionally used his work e-mail tackle to register with Yandex Meals, permitting researchers to additional confirm his identification.

Researchers additionally examined the leaked data for the telephone numbers belonging to people tied to Russia’s Primary Intelligence Directorate (GRU), or the nation’s international army intelligence company. They discovered the identify of one in all these brokers, Yevgeny, and have been in a position to hyperlink him to Russia’s Ministry of Overseas Affairs and discover his car registration data.

Bellingcat uncovered some priceless data by looking out the database for particular addresses as nicely. When researchers regarded for the GRU headquarters in Moscow, they discovered simply 4 outcomes — a possible signal that employees simply don’t use the supply app, or decide to order from eating places inside strolling distance as an alternative. When Bellingcat looked for FSB’s Particular Operation Heart in a Moscow suburb, nonetheless, it yielded 20 outcomes. A number of outcomes contained fascinating supply directions, warning drivers that the supply location is definitely a army base. One consumer advised their driver “Go as much as the three increase obstacles close to the blue sales space and name. After the cease for bus 110 as much as the tip,” whereas one other stated “Closed territory. Go as much as the checkpoint. Name [number] ten minutes earlier than you arrive!”

In a translated tweet, Russian politician and Navalny supporter, Lyubov Sobol, stated the leaked data even led to extra details about Russian President Vladimir Putin’s alleged “secret” daughter and former mistress. “Because of the leaked Yandex database, one other residence of Putin’s ex-mistress Svetlana Krivonogikh was discovered,” Sobol stated. “That’s the place their daughter Luiza Rozova ordered her meals. The residence is 400 m², value about 170 million rubles [~$1.98 million USD]!”

If researchers have been in a position to uncover this a lot data based mostly on information from a meals supply app, it’s a bit unnerving to consider the quantity of data Uber Eats, DoorDash, Grubhub, and others have on customers. In 2019, a DoorDash information breach uncovered the names, e-mail addresses, telephone numbers, supply order particulars, supply addresses, and the hashed, salted passwords of 4.9 million folks — a a lot bigger quantity than these affected within the Yandex Meals leak.