Yandex.Eats User Data Exposed Online
At the beginning of March, Yandex warned users about a data breach at Yandex.Eats, which resulted in customer phone numbers and order information—such as order contents and delivery times—falling into the hands of third parties. The company stated that the leak was caused by the “dishonest actions” of one of its employees.
Now, all this information has been made publicly available. On March 22, 2022, links to the stolen database were published in several Telegram channels, and an interactive map with user data appeared online (the website, according to WHOIS data, was created on March 14, 2022). The leaked data includes full names, complete addresses, email addresses, phone numbers, and the total amount spent on orders over the past six months. According to Forbes, the site published data on approximately 58,000 people, including those who placed orders outside of Russia.
Many members of the editorial team found their own data, as well as the data of friends and acquaintances, in the database. Unfortunately, this leaves little doubt about the authenticity of the leak.
Soon after the leak was published, representatives of Roskomnadzor announced that they had drawn up an administrative protocol due to the leak of Yandex.Eats customers’ personal data. They also added the resource with the interactive map and stolen database to the list of banned sites. Journalists from Kommersant note that the protocol was drawn up under Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation, which carries a fine ranging from 60,000 to 100,000 rubles.
Yandex representatives have not yet made any additional official statements about the incident. The company had previously notified users about the breach in early March, emphasizing that it did not affect users’ banking, payment, or registration data, such as logins and passwords.
Human rights advocates say they are already preparing class action lawsuits against Yandex. Representatives of Roskomsvoboda and the “Network Freedoms” project are asking all affected individuals to contact them and join the lawsuits.
Update: The website with the leaked data mapped out (https://saverudata.org/) has been blocked, but is still accessible via proxy, VPN, Tor, etc.