Russian tech giant Yandex has blamed one of its employees for the hacking and subsequent leak of data from Yandex Food, a popular food delivery service in Russia.

Among the many users affected are serving agents of Russia’s security services and military, who in several cases even ordered food to their places of work using their official email addresses.

This leak includes user emails, a large number of phone numbers, addresses, and orders made on the platform. Russia’s state media watchdog Roskomnadzor has strongly attempted to block its proliferation.

Some investigators have already uncovered leads for investigations into corruption from this data leak, namely the 170 million ruble (~$2 million USD) apartment of Russian president Vladimir Putin’s reported “secret daughter”.

Благодаря слитой базе «Яндекса» нашлась ещё одна квартира экс-любовницы Путина Светланы Кривоногих. Именно туда их дочь Луиза Розова заказывала еду. Квартира 400 м², стоит примерно 170 млн рублей!https://t.co/z3uGKOdQhc pic.twitter.com/tOGXOsFmRY

— Соболь Любовь (@SobolLubov) March 23, 2022

Bellingcat has analysed the data to verify its authenticity and uncover new investigative leads. By cross-referencing data points within this leak to independent sources including social media profiles and other leaked databases, we can confirm that it is indeed authentic. However, as with most data leaks, the vast majority of this information does not have legitimate research purposes, therefore we are not linking to the data itself. Personal details have been obscured in screenshots throughout this article.

We have only used this leak to explore further information about the subjects of previous investigations – many of whom are members of Russia’s security services and military.

What’s in the leak?

The main part of the data leak includes order information, along with some personal information collected from the user. These include their Yandex.Food ID, address, contact details, delivery instructions, billing information and metadata.

One address Bellingcat searched for is Dorozhnaya Street 56 in Moscow. This facility is linked to the Russian National Guard (Rosgvardia), which has been active in the invasion of Ukraine.

First, here’s an example of how personal details of users who ordered food are displayed in the leak.

The first name is a required field, but full name is often left blank. Below, a fictional Andrey Andreyev has placed their order. The email field is also optional, though the phone number is required. In some cases, user data with phone number, name, and email will be included even if an order has not been placed — likely from when a user has registered but not placed an order on the app.

Also included is the delivery address  — not to be confused with the user’s home address, which is not included in this data — with accompanying delivery instructions. These delivery instructions, as detailed later in this article, are some of the most fascinating data points of this leak.

In the case below, showing address and delivery instruction data that reflects an actual Yandex.Food order, the customer specified that the order is being sent to military unit 3792, and that they should call the listed number when they arrive to pick it up at the front gate. This military unit number corresponds to the 681th Special Motorised Regiment of Rosgvardia.