Terrible non-terrible leak – Newspaper Kommersant No. 15 (7460) of 01/27/2023

Data leaks from companies have already become commonplace, but the most recent one turned out to be curious: an archive with the source code of Yandex services and programs with a volume of more than 44 GB appeared on the network, consisting of sections taxi, classfields, portal and others. The company called the contents of the leak “an outdated code snippet from an internal repository (repository for collaborative code development.— “b”)”. Threats from leakage, according to representatives of “Yandex”, the company does not see.

This was agreed by a number of experts I interviewed, who, perhaps, did not want to step on the tail of Yandex. But several interlocutors still doubted that the publication of open source source code would not affect the work of the resources of one of the largest IT companies in the country.

The point is that source code can never be said to be completely obsolete, because in any case, some part of it is present in systems even after many updates. Here we are talking about files dated last year, which for a software company is the most “now”. The Yandex code at least contains logins and passwords from database servers, the contents of which may be of interest to attackers, so the company will have to check and change the data, says Ashot Oganesyan, founder of the DLBI data leak intelligence and darknet monitoring service.

In addition, the leak may attract not only hackers, but also ordinary companies that develop resources in the Yandex browser. The market is interested in code that “can shed light on how algorithms work and give SEOs the keys to manipulate its results.” If this is true, after some time the incident may affect the issuance in the search for the most enterprising players.

Politicians, for their part, see the machinations of ill-wishers in the incident. “This source leak story is modeled to discredit the Russian IT flagship,” State Duma deputy Anton Gorelkin wrote on his Telegram channel. In his opinion, “someone strongly dislikes the way the company copes with the geopolitical complexities of doing business.” My interlocutors in the government partly agree with this opinion, who are concerned about the state of security of the infrastructure of leading IT companies against the background of information about the leak of the base of the Mail.ru mail service controlled by VK, attacks on Ozon during sales days and other incidents.

Thus, although in most cases companies after leaks assure that they do not create any risks, the Yandex example indicates the opposite. Yes, the leak does not really threaten users with anything special. But if vulnerabilities are found in the code, they can be used to organize hacks, which will result in more serious incidents.