Russian tech giant Yandex had a massive leak - more than 40GB of source code leaked

[Denis Rakhmanov]

User of a hacker forum (removed by Moderators) posted a torrent link to a hacked git repository of russian techno giant Yandex

Quotes

Quote

Important details about torrent:

• It just content of repository without anything else.
• All files are dated back to 24 February 2022 (day when Russian war in Ukraine started).
• It does not contain git history, mostly just code
• No pre-built binaries for most of software with only few exceptions
• There are no pre-trained ML models with some exceptions

What’s inside

It looks like at least source code for all major services of Yandex been leaked:

• Search Engine and Indexing Bot
• Maps - Like Google Maps and Street View
• Alice - AI assistant like Siri / Alexa
• Taxi - Uber-like taxi service
• Direct - Ads service like Google Ads / Adwords
• Mail - Mail service like GMail
• Disk - File storage service like Google drive
• Market - Marketplace like Amazon
• Travel - Like a Booking.com plus Airplane, Train and Bus tickets
• Yandex360 - Like Google Workspaces for services on your own domain
• Cloud - Probably not all infrastructure code was leaked.
• Pay - Payment processing like Stripe, but with limited set of features
• Metrika - Like Google Analytics

Security implications.

Since this is leak only contain contents of git repositories there is no personal data. There are at least some API keys, but they are likely only been used for testing deployment only.

 

Yandex denies that hack happened and blames it on former employee

 

Since Yandex is techno giant, that combines Google, Uber, Netflix and Spotify analogs this might be huge, and many exploits might be discovered.

Many already joked that this might be the biggest contribution to open source this year.

 

Sources

https://arseniyshestakov.com/2023/01/26/yandex-services-source-code-leak/

https://www.bleepingcomputer.com/news/security/yandex-denies-hack-blames-source-code-leak-on-former-employee/

[Levent]

Cant wait to ask chatGPT to analyze the source code for more security issues.

[Budget DIY]

21 minutes ago, Denis Rakhmanov said:

User of a hacker forum posted a torrent link to a hacked git repository of russian techno giant Yandex

Quotes

 

Yandex denies that hack happened and blames it on former employee

 

Since Yandex is techno giant, that combines Google, Uber, Netflix and Spotify analogs this might be huge, and many exploits might be discovered.

Many already joked that this might be the biggest contribution to open source this year.

 

Sources

 

https://arseniyshestakov.com/2023/01/26/yandex-services-source-code-leak/

https://www.bleepingcomputer.com/news/security/yandex-denies-hack-blames-source-code-leak-on-former-employee/

Fun-fact, Yandex owns the internet and google. Deny everything! REEEEE!!!

[Bombastinator]

The yandex wiki https://en.m.wikipedia.org/wiki/Yandex

 

just because this was released doesn’t necessarily limit the amount actually taken.  It’s a suspiciously apropos date.  I can see something like “how far back do you want to go?”  “How ‘bout the first day of the invasion.  Let’s send a message”

[Kid.Lazer]

14 minutes ago, Denis Rakhmanov said:

Yandex denies that hack happened

and

Quote

blames it on former employee

are mutually exclusive. The former is plainly spoken, the latter insinuates it did happen. So... did it happen or not?

[Denis Rakhmanov]

1 minute ago, Kid.Lazer said:

are mutually exclusive. So... did it happen or not?

Denies that it was a hack, just a leak by former employee.

If you have data already on your computer it's not really hacking

[Bombastinator]

1 minute ago, Kid.Lazer said:

and

are mutually exclusive. So... did it happen or not?

Not necessarily if the former employee made a false claim.  I would want to know more about that employee.  

[Levent]

5 minutes ago, Denis Rakhmanov said:

Denies that it was a hack, just a leak by former employee.

If you have data already on your computer it's not really hacking

If you have 40 gigabytes of source code on a company laptop and was able to take it off the device, then I would highly question companies security policies.

[Bombastinator]

3 minutes ago, Levent said:

If you have 40 gigabytes of source code on a company laptop and was able to take it off the device, then I would highly question companies security policies.

There was an implication to an association to the Ukraine war.  May or may not be a red herring.

[Sauron]

6 minutes ago, Levent said:

If you have 40 gigabytes of source code on a company laptop and was able to take it off the device, then I would highly question companies security policies.

But it wouldn't surprise me in the least. I know I could do this for my employer's entire codebase of the last 30 years if I wanted to; it's not as sensitive as the type of software that is involved here but still.

[Supreme Calamitas]

I only use Yandex to reverse image search the P*rn I find on google images 

[sof006]

4 minutes ago, Supreme Calamitas said:

I only use Yandex to reverse image search the P*rn I find on google images 

I thought that Google could do that, why not use Google lol

[Kisai]

1 hour ago, Denis Rakhmanov said:

Quotes

 

Yandex denies that hack happened and blames it on former employee

 

Since Yandex is techno giant, that combines Google, Uber, Netflix and Spotify analogs this might be huge, and many exploits might be discovered.

Many already joked that this might be the biggest contribution to open source this year.

 

No open source project will ever accept stolen code.

 

That said, yeah, I'm pretty sure it was a former employee. When "hacks" typically happen, they tend to get access to things like active development environments or public-facing filesystems that are browsable.

 

When you see a copy of a git clone/pull, that means it was likely pulled that day, and probably on somebody's laptop before they fled the country.

 

[Bombastinator]

11 minutes ago, Kisai said:

No open source project will ever accept stolen code.

 

That said, yeah, I'm pretty sure it was a former employee. When "hacks" typically happen, they tend to get access to things like active development environments or public-facing filesystems that are browsable.

 

When you see a copy of a git clone/pull, that means it was likely pulled that day, and probably on somebody's laptop before they fled the country.

 

So people can post it, but that doesn’t mean it’s open source or part of any project?  If so even looking at it could soil a reverse engineering attempt.   They may have made the thing stronger instead of weaker.

[Denis Rakhmanov]

2 minutes ago, Bombastinator said:

So people can post it, but that doesn’t mean it’s open source or part of any project?  If so even looking at it could soil a reverse engineering attempt.   They may have made the thing stronger instead of weaker.

that code is covered by some license almost 100% forbidding it to be used in open source solutions.

 

So no open source project would use it as it might lead to lawsuites.

 

I made this comment because there are already a lot of memes(at least in russian segment of internet) on Yandex contributions to open source this year

[mononymous]

1 hour ago, sof006 said:

I thought that Google could do that, why not use Google lol

I use Yandex for that purpose as well. I find the UX of finding more images easier with this search engine. 

[Bombastinator]

21 minutes ago, Denis Rakhmanov said:

that code is covered by some license almost 100% forbidding it to be used in open source solutions.

 

So no open source project would use it as it might lead to lawsuites.

 

I made this comment because there are already a lot of memes(at least in russian segment of internet) on Yandex contributions to open source this year

As in they did or they didnt?  I’ve seen ads for yandex but I had no idea what they were even about.

[Bombastinator]

1 minute ago, mononymous said:

I use Yandex for that purpose as well. I find the UX of finding more images easier with this search engine. 

My default is duck-duck go.  I’ve never had a need for reverse image lookup though.

[Supreme Calamitas]

2 hours ago, sof006 said:

I thought that Google could do that, why not use Google lol

It’s not detailed enough and doesn’t give me the names  

[sof006]

9 minutes ago, Supreme Calamitas said:

It’s not detailed enough and doesn’t give me the names  

Thanks..

[TVwazhere]

21 hours ago, Denis Rakhmanov said:

(removed by Moderators)

This wasn't us I swear!

[Bombastinator]

4 minutes ago, TVwazhere said:

This wasn't us I swear!

It would be an entertaining username though

[Kisai]

On 1/26/2023 at 9:57 AM, Denis Rakhmanov said:

I made this comment because there are already a lot of memes(at least in russian segment of internet) on Yandex contributions to open source this year

 

I'm sure the joke makes sense in english as well "The biggest Russian contribution to open source this year, was the leak of X, thus proving that X used stolen code in their Y project."

 

Or something to that level. It might be fun for someone to mechanically actually compare any OSS modules found it against public ones to see if there are like GPL violations, but otherwise even looking at such projects is likely to taint any possibility of contributing to OSS projects in the same field.

 

[Bombastinator]

3 hours ago, Kisai said:

 

I'm sure the joke makes sense in english as well "The biggest Russian contribution to open source this year, was the leak of X, thus proving that X used stolen code in their Y project."

 

Or something to that level. It might be fun for someone to mechanically actually compare any OSS modules found it against public ones to see if there are like GPL violations, but otherwise even looking at such projects is likely to taint any possibility of contributing to OSS projects in the same field.

 

I suspect that has already been done and if there were any we’d have heard about it

[Bitter]

https://www.thedailybeast.com/yandex-censors-search-so-bald-fcker-and-bunker-grandad-wont-show-putin-report

 

Ha,that's expected but still amusing.