A Yandex source code base stolen by a former employee of a Russian technology company has been leaked as a torrent on a popular hacking forum, according to BleepingComputer.
Yesterday, leakers posted a magnetic link to what they claim are “Yandex git sources”, including 44.7GB of files stolen from the company in July 2022. The code base allegedly contains all of the company’s source code except for its anti-spam rules.
Software engineer Arseniy Shestakov analyzed the leaked Yandex Git repository and said it contained technical data and code for the following products:
Yandex search engine and indexing bot
Yandex map
Alice (AI assistant)
Yandex Taxi
Yandex Direct (advertising service)
Yandex mail
Yandex Disk (cloud storage service)
Yandex Marketplace
Yandex Travel (travel booking platform)
Yandex360 (workspace service)
Yandex cloud
Yandex Pay (payment processing service)
Yandex Metrika (Internet analytics)
In a statement to BleepingComputer, Yandex said their systems were not hacked, and a former employee leaked the source code repository: “Yandex was not hacked. Our security service found internal storage in the public domain Code snippets of the library, but the content is different from the current version of the repository used in the Yandex service.” A repository is a tool for storing and manipulating code, which is used internally by most companies.
Yandex also stated: “The repository is needed to process code, not to store personal user data. We are conducting an internal investigation into the cause of the leak, but we have not seen any threats to user data or platform performance.”
It is reported that this leak does not contain any customer data, so it does not pose a direct risk to the privacy or security of Yandex users, nor does it directly threaten the leakage of patented technology.
The leaked repository only contains the code, another important part is the data, and the key parts, like the model weights of the neural network, etc. are not leaked, so it is almost useless. However, leaked code creates the possibility for hackers to identify security holes and create targeted exploits.
