Cyber expert Lukatsky highlighted the potential dangers when data from Yandex.Food customers is exposed to thieves.
The leakage of customer data from the Yandex.Food platform can be exploited by fraudsters in multiple ways. In discussions with a Russian publication, the security specialist with Cisco Systems, Alexei Lukatsky, described how leaked information could be used to enrich other databases that previously contained only emails or phone numbers. Now, more sensitive details like home addresses could be appended, widening the scope of what bad actors might attempt to misuse.
Beyond basic identifiers, it becomes possible to infer whether a person is at home by analyzing who orders what and when. This kind of data can raise the risk of targeted burglaries, especially in dense urban settings where delivery patterns are common and predictable.
Alexey Lukatsky is an information security expert with Cisco Systems.
In early March, Yandex.Food acknowledged a data breach affecting user accounts. The service stated that, due to dishonest actions by a former employee, customers’ phone numbers and order details — including items, delivery times, and related data — were published online. Yandex indicated that measures had been tightened to protect sensitive information and that legal action had been taken against the responsible individual, along with a review of internal processes to prevent future incidents.
Later in March, Telegram channels and several media outlets reported a site displaying a map with data tied to Yandex.Food users. The map allegedly linked addresses with names, phone numbers, and spending information from orders, illustrating how leaked data can be aggregated and made more actionable for malicious purposes.
The broader takeaway is clear: even regulated platforms can be vulnerable to internal misuse, and once data enters the public domain, it can be repurposed in ways that compromise consumer safety. Consumers should remain vigilant about the information they share and monitor accounts for unusual activity, especially if contact details and order histories are part of the data set in question. Businesses handling personal information must invest in robust access controls, regular audits, and clear incident-response plans to mitigate the impact of any breach and to communicate transparently with affected users while pursuing remediation.
In the wake of such incidents, experts advise emphasizing data minimization, encryption at rest and in transit, and strict role-based access for employees. Additionally, organizations should maintain an up-to-date inventory of what data is collected, where it is stored, and who can access it. When breaches occur, prompt notification, rapid containment, and a roadmap for remediation are essential to reducing risk and maintaining consumer trust.
For individuals, practical steps include changing passwords for accounts tied to the platform, enabling two-factor authentication where possible, and watching for suspicious messages or calls that reference leaked contact details. Staying informed about evolving security practices and knowing how to report suspected breaches can help limit potential harm and encourage swift organizational accountability.