What motivates leakers
There are several ways to access personal data illegally and one of them is through the company’s own employees, who have access to user databases. Often, criminals find such untrustworthy employees and acquire the data through them. Such stolen databases are then often sold or given away for free in exchange for reputation points on hacker message boards.
A system can also be hacked from the outside by targeting weak passwords or a vulnerability in security codes. Another way is to infiltrate the system with malware – a single device infected with a virus can eventually bring down the entire system.
In the case of Yandex.Eats, the company cites “irresponsible online activities” of one of its employees as the reason behind the leak. However, the hack itself remains a mystery: it could’ve been the work of an insider or an exploitation of a vulnerability found from outside.
As to the hackers’ motivation, one part of it might have been the desire to scare users away from the app and damage the company’s reputation. In all likelihood, the criminals were aiming not to access the data but to make it public.
Remain calm
The leaked data itself doesn’t pose a significant threat to the users – most of it is already publicly available and/or isn’t of much interest to criminals. For instance, users’ full names and phone numbers can be found on VK, while their phones’ operating systems are displayed on Twitter. This data can hardly be applied for social engineering attacks or used to access users’ personal accounts on other websites.
However, this recently acquired data can be combined with other leaks to build a more detailed image of a specific user. Moreover, it can be used for a phishing attack – users may receive a promotional email, supposedly from Yandex.Eats, that will take them to a fraudulent third-party page where they will be asked to input their account details.
The same can happen with other apps and services. If you have ever created accounts on the websites of betting companies, stock exchanges, cell service providers, microloan agencies, and any others that require personal data and its verification via your phone number or personal ID, then this data, too, can become public property as a result of a successful attack.
Those users whose data was exposed in this leak cannot really do much now. If the hackers wanted to use this information to gain some benefit, then they would most likely have used it first before making it publicly available.
Excessive activity can only cause even more harm. The website that hosted the data leak included numbers which the users were recommended to call to delete this data from public access – but they were actually numbers of government representatives and were published there in an attempt to discredit them. Of course, if you wanted, you could change your phone number, email, and even postal address, but these efforts will likely be in vain. Moreover, after the leak the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) launched a case against Yandex.Eda for violating regulations on the protection of personal data and blocked the webpage on which the leak was published.
How to protect your data
In order to protect yourself from any potential leaks in the future, you can get a special phone number and email address that you will use to sign up to various services. It could also help to use a fake name when possible.
It’s important for companies to adopt proper procedures for secure data processing and storage; for instance, by decreasing the number of people with access to critical data and implementing the principle of least privilege (only providing employees with the access rights necessary to fulfill their current responsibilities). Another recommendation would also be to look into information security standards, the most popular of which is ISO 27001.
Moreover, companies should also request external audits of their information security protocols and conduct regular penetration tests, during which information security experts try to infiltrate the company’s infrastructure and assess business risks.