Data Breach

Yandex Denies Hack – Source Code Leaked on Popular Hacking Forum

The source code of Yandex, the largest IT company in Russia and commonly referred to as the Russian Google, was hacked by attackers.

On a well-known hacker site, a Yandex source code repository purportedly stolen by a former employee of the Russian technology giant was leaked as a torrent.

Specifics of the Yandex Data Leak

A magnet link with 44.7 GB of files purported to be from “Yandex git sources” that were allegedly taken from the company in July 2022 was shared by the leaker yesterday. 

Apart from anti-spam guidelines, these code repositories are said to contain all the company’s source code.

Yandex repository leaked on hacker forums

Arseniy Shestakov, a researcher who claims to have investigated data leaks, states that the leaked Yandex Git repository includes technical data and code about the products such as:

  • Yandex search engine and indexing bot
  • Yandex Maps
  • Alice (AI assistant)
  • Yandex Taxi
  • Yandex Direct (ads service)
  • Yandex Mail
  • Yandex Disk (cloud storage service)
  • Yandex Market
  • Yandex Travel (travel booking platform)
  • Yandex360 (workspaces service)
  • Yandex Cloud
  • Yandex Pay (payment processing service)
  • Yandex Metrika (internet analytics)

“There are at least some API keys, but they are likely only been used for testing deployment only,” according to Shestakov.

The company informed Russian media that it was aware of the leak and that an inquiry had been started to determine how “fragments of the source code” ended up in the public domain.

Moreover, Yandex emphasized that the company was not “hacked” because the leaked files only contained code fragments from an internal repository that utilized different data from the repository’s most recent version.

Yandex was not hacked. Our security service found code fragments from an internal repository in the public domain, but the content differs from the current version of the repository used in Yandex services”.

“A repository is a tool for storing and working with code. Code is used in this way internally by most companies”.

“Repositories are needed to work with code and are not intended for the storage of personal user data. We are conducting an internal investigation into the reasons for the release of source code fragments to the public, but we do not see any threat to user data or platform performance.”, Yandex.

A former senior systems administrator, deputy chief of development, and director of spreading technologies at Yandex,  Grigory Bakunov said the data breach was motivated by politics, and the rogue Yandex employee who was in charge of it didn’t try to sell the code to competitive firms.

He continued by saying that as the breach does not include any customer information, neither does it directly harm the privacy or security of Yandex customers or pose a threat to confidential or proprietary information.

“Yandex uses a monorepo structure called ‘Arcadia,’ but not all of the company’s services use it. Also, even just to build a service, you need a lot of internal tools and special knowledge, as standard building procedures do not apply.

The leaked repository contains only code; the other important part is data. Key parts, like model weights for neural networks, etc., are absent, so it’s almost useless.

Still, there are a lot of interesting files with names like “blacklist.txt” that could potentially expose working services”.

But according to Bakunov, the exposed code gives hackers the chance to find security holes and craft specialised exploits. Bakunov thinks it’s just a matter of time. Hence, a complete study of the disclosed code may reveal potential vulnerabilities at Yandex for threat actors.

Network Security Checklist – Download Free E-Book

Guru Baran

Recent Posts

New WiFi Flaw Let Attackers Hijack Network Traffic

A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according…

16 hours ago

A Military-Type Explosive Sent Via USB Drive to Detonate When Plug-in To Computer

The Ecuadorian free-to-air television network Ecuavisa recently reported that a USB device was detonated inside…

23 hours ago

UK Police Setup Thousands of  Fake DDoS-For-Hire Websites

The National Crime Agency (NCA) of the United Kingdom revealed that it had built several fake…

1 day ago

Parts of Twitter’s Source Code Leaked Online On GitHub

Recently, Twitter has acknowledged that some of its confidential source code has been exposed on…

2 days ago

Hackers Earned $1,035,000 for Exploiting 27 Zero-Days at Pwn2Own Vancouver

After the finale of Pwn2Own Vancouver 2023, the Masters of Pwn, Synacktiv (@Synacktiv), received $1,035,000…

2 days ago

Hackers Exploited Critical Microsoft Outlook Vulnerability To Gain Exchange Server Access

In response to a recent vulnerability identified in Outlook, Microsoft recently published a proper guide…

3 days ago