A proprietary source code repository from Russian tech giant Yandex has been leaked on Breachforums as a torrent. Yandex denied any hacks and claimed that a rogue former employee leaked the repository. Â
According to software engineer Arseniy Shestakov, the repository contains source code for all major services offered by Yandex, including but not limited to the following:
- Alice
- Cloud
- Direct
- Disk
- Maps
- Market
- Metrika
- Pay
- Search engine and indexing bot
- Taxi
- Travel
- Yandex 360
While the leak only contains Git repositories and not personal data, a few API keys are scattered throughout the code. That said, Shestakov believes these are likely only for testing deployments meaning they shouldn’t be able to do much harm if in the wrong hands. Additionally, some of the leaked archives contain modern source code for the services mentioned above and documentation, including real intranet URLs.Â
According to the leaker’s post, the magnet link for the torrent contains Yandex’s Git sources and is 44.7 GB in size. They claim to have stolen the files in July 2022, although Shestakov claims that all files date back to 24 February 2022. It also contains no Git history, pre-built binaries or pre-trained ML modes, with only a few exceptions.Â
In their statement to the BleepingComputer, Yandex claims that the content of the leaked repositories differed from “the current version of the repository used in Yandex services”. The company claims to be conducting an internal investigation of the incident but does not see any threat to user data or platform performance at the moment.
Considering the intruder isn’t selling the leaked code online, it’s possible that the breach is politically motivated. Additionally, since the leak doesn’t contain any customer data, model weights for neural networks or other sensitive information, it isn’t beneficial to threat actors. Access to source code could mean that threat actors can reverse engineer these services to find and exploit previously unknown vulnerabilities.Â
In the News: Hive ransomware gang’s network seized by law enforcement