Data leak from Russian delivery app shows dining habits of the secret police

Image: Getty Images

The delivery addresses, phone numbers, names, and delivery instructions of those associated with Russia's secret police were revealed in a massive data leak from a Russian food delivery service.

On March 1st, the data leak was reported by Yandex Food, a subsidiary of the larger Russian internet company. The company was threatened with a 100,000 ruble fine by the Russian communications watchdog for leaking information of about 58,000 users. The information on ordinary citizens and those with ties to the Russian military and security services were not visible on the online map.

Researchers at Bellingcat were able to find leads on any people of interest, such as an individual linked to the poisoning of Russian opposition leader Alexey Navalny. Bellingcat found the name of the person who was in contact with Russia's Federal Security Service to plan Navalny's poisoning by searching the database for phone numbers collected in a previous investigation. Bellingcat says that this person used his work email address to register with Yandex Food, which allowed researchers to determine his identity.

The leaked information for the phone numbers of people tied to Russia's main intelligence agency was examined by researchers. They were able to link Yevgeny to Russia's Ministry of Foreign Affairs by finding his vehicle registration information.

Bellingcat searched the database for specific addresses. When researchers looked for the GRU headquarters in Moscow, they found just four results, which could be a sign that workers don't use the delivery app or order from restaurants within walking distance. 20 results were returned when Bellingcat searched for the Special Operation Center. Drivers were warned that the delivery location was actually a military base. One user told their driver to go up to the three boom barriers and call. After the stop for bus 110 up to the end, another said closed territory. Go to the checkpoint. Call the number ten minutes before you arrive.

The leaked information led to additional information about Russian President Vladimir Putin's daughter and former mistress, according to a Russian politician and Navalny supporter. The apartment is worth 170 million rubles.

It's a bit unnerving to think about the amount of information users of food delivery apps have on them. The hashed, salted passwords of more than four million people were exposed in the DoorDash data breach.