The leak contains the source codes for most of the company’s services: from mail and taxis to music and the cloud.
🔎 Leakage of source codes of Yandex services
On January 25, 2023, the source codes and accompanying data for many Yandex services and programs appeared on the web. The distribution contains separate archives (.tar.bz2), whose names can be used to identify the corresponding Yandex services.
The total amount of archives (compressed) is more than 44.7 GB.
January 26, 2023 Yandex confirmed the publication of the source codes of some projects from the internal repository.
The hackers released the archive to the public and claim that in July 2022 they downloaded the source codes of the company’s projects, in addition to the anti-spam rules.
😀 “There was no Yandex hack. The Yandex security service has discovered code fragments from an internal repository in the public domain. However, their content differs from the current version of the repository used in Yandex services.
The repository is one of the development tools within most companies that is available to their developers. Repositories are needed to work with code and are not intended to store personal data of users. We are conducting an internal investigation,” the company’s press service told Habr.
The developer Arseniy Shestakov explained that the archive contains only the contents of the git repositories, there are no personal data. There are several API keys, but they were most likely used only for test deployment. Some of the archives contain source code for part of the company’s services, as well as documentation pointing to real intranet URLs.
Yandex GIT Source tree got leaked!
magnet:?xt=urn:btih:7e0ac90b489baee8a823381792ec67d465488fef&dn=yandexarc&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80%2Fannounce&tr=udp%3A%2F%2F9.rarbg.to%3A2920&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337%2Fannounce&tr=udp%3A%2F%2Fexodus.desync.com%3A6969&tr=udp%3A%2F%2Fbt1.archive.org%3A6969%2Fannounce&tr=udp%3A%2F%2Fbt2.archive.org%3A6969%2Fannounce&tr=udp%3A%2F%2Fopen.demonii.com%3A1337%2Fannounce
YANDEX SERVICES SOURCE CODE LEAK
SHORT OVERVIEW OF BREACH CONTENTS
PUBLISHED THU, JAN 26, 2023 BY ARSENIY SHESTAKOV
Just a few hours ago I found mention on Twitter that proprietary source code of Russian giant Yandex been leaked on online community called BreachForums. In this post I’ll share results of my friend digging into said archives.
Important details about torrent:
It is just content of repository without anything else.
All files are dated back to 24 February 2022.
It does not contain git history, mostly just code
No pre-built binaries for most of software with only few exceptions
There are no pre-trained ML models with some exceptions
This post is a work-in-progress and will be updated with more details.
Why is this big?
Yandex is one of largest IT companies in Russia. Within country it provide wider range of services than Google. Imagine one company that replace Google, Uber, Amazon, Netflix and Spotify.
Is this leak real?
I personally never worked at Yandex, but I know several people who worked there at different times or work there still. I verified that at least some of archives for sure contain modern source code for company services as well as documentation pointing to real intranet URLs.
What’s inside
It looks like at least source code for all major services of Yandex been leaked:
Search Engine and Indexing Bot
Maps – Like Google Maps and Street View
Alice – AI assistant like Siri / Alexa
Taxi – Uber-like taxi service
Direct – Ads service like Google Ads / Adwords
Mail – Mail service like GMail
Disk – File storage service like Google drive
Market – Marketplace like Amazon
Travel – Like a Booking.com plus Airplane, Train and Bus tickets
Yandex360 – Like Google Workspaces for services on your own domain
Cloud – Probably not all infrastructure code was leaked.
Pay – Payment processing like Stripe, but with limited set of features
Metrika – Like Google Analytics
And at least backend part of majority of other company services is there. Largest archive called “frontend” is yet to be explored.
- admins.tar.bz284885KB2023-01-27 03:12:49
- ads.tar.bz2592613KB2023-01-27 03:13:01
- alice.tar.bz2186478KB2023-01-27 03:13:05
- analytics.tar.bz2140767KB2023-01-27 03:13:08
- antiadblock.tar.bz247562KB2023-01-27 03:13:09
- antirobot.tar.bz218618KB2023-01-27 03:13:09
- balancer.tar.bz241788KB2023-01-27 03:13:10
- billing.tar.bz2437209KB2023-01-27 03:13:19
- bindings.tar.bz21289KB2023-01-27 03:13:19
- ci.tar.bz29674KB2023-01-27 03:13:19
- classifieds.tar.bz24901615KB2023-01-27 03:15:02
- client_analytics.tar.bz233492KB2023-01-27 03:15:03
- cloud.tar.bz2333693KB2023-01-27 03:15:10
- commerce.tar.bz2101528KB2023-01-27 03:15:12
- config.tar.bz26KB2023-01-27 03:15:12
- connect.tar.bz216834KB2023-01-27 03:15:12
- crm.tar.bz2160307KB2023-01-27 03:15:15
- crypta.tar.bz213470KB2023-01-27 03:15:16
- customer_service.tar.bz218KB2023-01-27 03:15:16
- datacloud.tar.bz21032KB2023-01-27 03:15:16
- delivery.tar.bz21452KB2023-01-27 03:15:16
- direct.tar.bz287155KB2023-01-27 03:15:18
- disk.tar.bz2145504KB2023-01-27 03:15:21
- docs.tar.bz251855KB2023-01-27 03:15:22
- drive.tar.bz2178253KB2023-01-27 03:15:25
- extsearch.tar.bz2529571KB2023-01-27 03:15:36
- frontend.tar.bz219145449KB2023-01-27 03:22:14
- gencfg.tar.bz29709KB2023-01-27 03:22:15
- groups.tar.bz254KB2023-01-27 03:22:15
- helpdesk.tar.bz2168KB2023-01-27 03:22:15
- infra.tar.bz2117499KB2023-01-27 03:22:17
- intranet.tar.bz255074KB2023-01-27 03:22:18
- investors.tar.bz28126KB2023-01-27 03:22:18
- kernel.tar.bz2125707KB2023-01-27 03:22:21
- library.tar.bz266987KB2023-01-27 03:22:23
- load.tar.bz256559KB2023-01-27 03:22:25
- mail.tar.bz2245423KB2023-01-27 03:22:30
- maps.tar.bz21555124KB2023-01-27 03:23:05
- maps_2.tar.bz217849KB2023-01-27 03:23:05
- maps_adv.tar.bz25603KB2023-01-27 03:23:06
- market.tar.bz24195574KB2023-01-27 03:24:39
- metrika.tar.bz2497936KB2023-01-27 03:24:49
- mobile-WARNING-notfull.tar.bz21717957KB2023-01-27 03:25:25
- nginx.tar.bz2447KB2023-01-27 03:25:25
- noc.tar.bz2521410KB2023-01-27 03:25:35
- partner.tar.bz222578KB2023-01-27 03:25:36
- passport.tar.bz2414028KB2023-01-27 03:25:45
- pay.tar.bz29215KB2023-01-27 03:25:45
- payplatform.tar.bz2212551KB2023-01-27 03:25:50
- paysys.tar.bz222510KB2023-01-27 03:25:50
- portal.tar.bz22468142KB2023-01-27 03:26:41
- privacy_office.tar.bz230KB2023-01-27 03:26:41
- products.tar.bz221KB2023-01-27 03:26:41
- robot.tar.bz2742738KB2023-01-27 03:26:56
- rt-research.tar.bz2152529KB2023-01-27 03:26:59
- saas.tar.bz217954KB2023-01-27 03:26:59
- sandbox.tar.bz243450KB2023-01-27 03:27:00
- search.tar.bz2559092KB2023-01-27 03:27:11
- security.tar.bz265713KB2023-01-27 03:27:13
- skynet.tar.bz2713KB2023-01-27 03:27:13
- smarttv.tar.bz2298KB2023-01-27 03:27:28
- smart_devices.tar.bz2737549KB2023-01-27 03:27:28
- solomon.tar.bz253248KB2023-01-27 03:27:30
- stocks.tar.bz21192KB2023-01-27 03:11:06
- switch.tar.bz2426KB2023-01-27 03:11:06
- tasklet.tar.bz2444KB2023-01-27 03:11:06
- taxi.tar.bz23460188KB2023-01-27 03:12:19
- tools.tar.bz217869KB2023-01-27 03:12:19
- travel.tar.bz2106624KB2023-01-27 03:12:21
- wmconsole.tar.bz29668KB2023-01-27 03:12:21
- yandex360.tar.bz21271012KB2023-01-27 03:12:47
- yandex_io.tar.bz227492KB2023-01-27 03:12:22
- yaphone.tar.bz23833KB2023-01-27 03:12:47
- yawe.tar.bz22381KB2023-01-27 03:12:48
Full file list of files:
If you dont want to download torrent, but curious of what’s inside you can get list of files from following gist:
https://gist.github.com/ArseniyShestakov/53a80e3214601aa20d1075872a1ea989
You can also clone it like normnal git repository:
git clone https://gist.github.com/ArseniyShestakov/53a80e3214601aa20d1075872a1ea989
List of all files can be obtained with following commands.
Full list of files in torrent
aapi.tar.bz2 client_method.tar.bz2 gencfg.tar.bz2 mobile-WARNING-notfull.tar.bz2.part skynet.tar.bz2
admins.tar.bz2 cloud.tar.bz2.part groups.tar.bz2 nginx.tar.bz2 smart_devices.tar.bz2.part
ads.tar.bz2 commerce.tar.bz2.part helpdesk.tar.bz2 noc.tar.bz2.part smarttv.tar.bz2
alice.tar.bz2.part config.tar.bz2 infra.tar.bz2 partner.tar.bz2 solomon.tar.bz2.part
analytics.tar.bz2.part connect.tar.bz2.part intranet.tar.bz2 passport.tar.bz2.part stocks.tar.bz2
antiadblock.tar.bz2 crm.tar.bz2.part investors.tar.bz2 pay.tar.bz2 switch.tar.bz2
antirobot.tar.bz2 crypta.tar.bz2 it-office.tar.bz2 payplatform.tar.bz2.part tasklet.tar.bz2
autocheck.tar.bz2 customer_service.tar.bz2 jupytercloud.tar.bz2 paysys.tar.bz2 taxi.tar.bz2.part
balancer.tar.bz2 datacloud.tar.bz2 kernel.tar.bz2.part portal.tar.bz2.part tools.tar.bz2
billing.tar.bz2 delivery.tar.bz2.part library.tar.bz2.part privacy_office.tar.bz2 travel.tar.bz2.part
bindings.tar.bz2 direct.tar.bz2.part load.tar.bz2.part products.tar.bz2 wmconsole.tar.bz2
captcha.tar.bz2 disk.tar.bz2 mail.tar.bz2.part robot.tar.bz2 yandex360.tar.bz2.part
cdn.tar.bz2 docs.tar.bz2 maps.tar.bz2.part rt-research.tar.bz2 yandex_io.tar.bz2.part
certs.tar.bz2 drive.tar.bz2.part maps_2.tar.bz2.part saas.tar.bz2 yaphone.tar.bz2
ci.tar.bz2.part extsearch.tar.bz2.part maps_adv.tar.bz2 sandbox.tar.bz2 yawe.tar.bz2
classifieds.tar.bz2.part frontend.tar.bz2.part market.tar.bz2.part search.tar.bz2
client_analytics.tar.bz2.part fuzzing.tar.bz2 metrika.tar.bz2.part security.tar.bz29
Security implications.
Since this is leak only contain contents of git repositories there is no personal data. There are at least some API keys, but they are likely only been used for testing deployment only.
You must be logged in to post a comment.