A massive data leak from Russian food delivery service Yandex Food has revealed the delivery addresses, phone numbers, names and delivery instructions of those linked to Russia's secret police, Bellingcat, a Netherlands-based investigative journalism group specializing in fact-checking, reports. The intelligence is open source.

Yandex Food, a subsidiary of the Internet company Yandex that owns the popular Russian search engine, first reported the data leak on March 1, blaming one of its employees, noting that the leak did not include users' login information.

Since then, the Russian communications regulator Roskomnadzor has threatened to fine the company up to 100,000 rubles (about $1,166) over the leak, which Reuters says exposed information about 58,000 users.

Roskomnadzor has also blocked access to an online map containing the data - in an attempt to hide the information of ordinary citizens, as well as those with connections to the Russian military and security services.

The poisoning of the head of the Russian opposition

Bellingcat used the data to identify an individual with ties to the poisoning of Russian opposition leader Alexei Navalny. Researchers at Bellingcat had access to a slew of information, and they scanned it for evidence of any people of interest.

By searching a database of phone numbers collected as part of an earlier investigation, Bellingcat revealed the name of a person who had been in contact with Russia's Federal Security Service (FSB) planning to poison Navalny.

Bellingcat says this person also used his work email address to register with Yandex Food, allowing researchers to verify his identity.

The researchers also examined the leaked information of the phone numbers of individuals linked to the country's well-known GRU, or foreign military intelligence agency, known as the GRU.

They found the name of one of these agents, Yevgeny, and were able to link him to the Russian Foreign Ministry and find his car registration information.

Billingcat uncovered some valuable information by searching the database for specific addresses as well.

When searching for the headquarters of the KGB in Moscow, only 4 results were found - a possible indication that workers are not using the delivery app, or are choosing to order from restaurants located within walking distance instead.

When Bellingcat searched for the FSB Special Operations Center (FSB) in a Moscow suburb, it yielded 20 results.

Many of the results contained interesting delivery instructions, warning drivers that the delivery site was in fact a military base.

One user told the delivery driver, “Go up to the third checkpoint near the blue cabin and call,” another said, “Closed area. Go up to the checkpoint. Call [the number] 10 minutes before you arrive!”

Putin and his "alleged" secret daughter Luisa Rozova (communication sites)

Putin's mistress and his secret daughter

In a translated tweet, Russian politician and Navalny supporter Lyubov Sobol said the leaked information had led to additional information about President Vladimir Putin's ex-girlfriend and their alleged "secret" daughter.

"Thanks to the leaked Yandex database, another apartment of Putin's ex-girlfriend Svetlana Krivonozhikh was found," Sobol said. "This is where their daughter Luisa Rozova ordered her meals. The apartment is 400 square meters, and its value is about 170 million rubles ($ 1.98 million). ".

And if researchers are able to reveal so much information based on data from a food delivery app, it's worrying to think about how much information Uber Eats, DoorDash, Grubhub, and others have about users.

In 2019, a data breach of Door Dash exposed the names, email addresses, phone numbers, delivery order details, delivery addresses and hashed passwords of 4.9 million people, far more than those affected by the Yandex Food leak.

Keywords: