Source code archives of Yandex projects have appeared on the Internet, the authenticity of which has been confirmed by the company. The materials were indeed stolen from internal storage. However, Yandex denied the hypothesis that they were stolen as a result of a hacker attack. The company also assured that there was no danger to customers.
The total volume of archives published by hackers reached over 44.7 GB. Hackers noted that they managed to get access to the source code of Yandex projects in 2022. The archives contain materials for Python, C++, Go and TypeScript, as well as methods for working with protocol buffers, YAML and JSON data.
According to securitylab.ru, one of the strange features of the information in the archives is that there is a lot of support code written in Python 2.7, and all files and folders have the same date: "2022-02-24."
Yandex representatives confirmed the authenticity of the published materials, but said there was no hacking attack. “Yandex's security service found code fragments from the internal repository in the public domain. However, their content differs from the current version of the repository, which is used in Yandex services,” they said.
The company also noted that the repositories are not intended to store personal data of users, so there is no danger to them. However, Yandex is conducting an internal investigation to find out how the code fragments ended up on the Internet. “We do not see any risk to our users' data or the work of the platform,” the company added.
A source familiar with the situation said Yandex's project codes were leaked through the fault of one of the company's employees.
Experts note that the leaked codes are interesting for further investigation, but it is unlikely that they can be used directly and run a separate Yandex project based on them, as there are very specific solutions involved, including for Yandex infrastructure.