A Yandex source code repository allegedly stolen by a former employee of the Russian tech company has been leaked as a torrent on a popular hacking forum.

Yesterday the leaker posted a magnet link which it says are “Yandex git sources” consisting of 44.7GB of files stolen from the company in July 2022. These code repositories are said to contain all the source code for the company in addition to anti-spam rules.

Software Engineer Arseniy Shestakov analyzed leaked Yandex Git repository and has stated that it contains technical data and code for the following products:

• Yandex search engine and indexing bot
• Yandex Maps
• Alice (AI assistant)
• Taxi Yandex
• Yandex Direct (ad service)
• Yandex Mail
• Yandex disk (cloud storage service)
• Yandex market
• Yandex Travel (travel booking platform)
• Yandex360 (workspaces service)
• Yandex cloud
• Yandex Pay (payment processing service)
• Yandex Metrika (web analytics)

Shestakov also shared a list of leaked file directories on GitHub for those who want to see what source code has been stolen.

“There are at least a few API keys, but they’re probably only used for testing the deployment,” Shestakov said of the leaked data.

In a statement to BleepingComputer, Yandex said their systems were not hacked and that a former employee leaked the source code repository.

“Yandex was not hacked. Our security service found code fragments from an internal repository in the public domain, but the content differs from the current version of the repository used in Yandex services.

A repository is a tool for storing and working with code. The code is used in this way internally by most companies.

Repositories are necessary for working with code and are not intended for storing users’ personal data. We are conducting an internal investigation into the reasons for the public release of source code fragments, but we see no threat to user data or platform performance.” – Yandex.

Exposure to pirates

BleepingComputer also discussed the leak with Grigory Bakunov, former senior system administrator, deputy head of development and director of broadcast technologies at Yandex. who is very familiar with the leaked code, having worked at the tech giant between 2002 and 2019.

Bakunov explained that the motive for the data leak was political and that the rogue Yandex employee responsible for the data leak did not try to sell the code to competitors.

The former senior executive added that the leak does not contain any customer data, so it does not pose a direct risk to the privacy or security of Yandex users, nor does it directly threaten to leak proprietary technology.

Yandex uses a monorepo framework called “Arcadia”, but not all company departments use it. Also, even to build a service you need a lot of in-house tools and special knowledge, because standard build procedures don’t apply.

The leaked repository contains only code; the other important part is the data. Key things like model weights for neural networks etc. are missing, so it’s almost useless.

Still, there are many interesting files with names like “blacklist.txt” that could potentially expose working services.

However, Bakunov told BleepingComputer that the leaked code creates the opportunity for hackers to identify security holes and create targeted exploits. Bakunov thinks it’s only a matter of time now.

The former executive also commented on Yandex’s response, saying that the leaked code may not be identical to the current code used in the company’s work services, but may be 90% similar.

Therefore, a close examination of the leaked code could reveal possible weak points at Yandex for threat actors.