Yandex Data Breach Exposes 4K+ Email Accounts | Threatpost

In a security notice, Yandex said an employee had been providing unauthorized access to users’ email accounts “for personal gain.”

Yandex – one of Europe’s largest internet companies – is warning of a data breach that compromised 4,887 email accounts. The breach stems from an insider threat.

Yandex is the most-used search engine in Russia – and the fifth most-popular search engine worldwide. Beyond its search engine, Yandex’s internet product lineup includes email services, online advertising, app analytics and more.

The company found that a Yandex employee had been providing unauthorized access to users’ mailboxes “for personal gain.” This employee was one of three system administrators, who had the access privileges to provide technical support for mailboxes, said Yandex.



“A thorough internal investigation of the incident is under way, and Yandex will be making changes to administrative access procedures,” said Yandex’s Friday security advisory. “This will help minimize the potential for individuals to compromise the security of user data in future. The company has also contacted law enforcement.”

Yandex Internally Discovers Data Breach
Threatpost has reached out to Yandex for further comment on the timeline of the data breach – including when the unauthorized access to email accounts began, when the breach was discovered, and who was able to access the compromised accounts.

The company discovered the breach during a routine screening by its security team. Yandex stressed, no payment details were compromised, and it has already blocked the unauthorized access to the compromised mailboxes.

“We have contacted the mailbox owners to alert them about the breach and they have been informed of the need to change their account passwords,” the company said.

What is a Cybersecurity Insider Threat?
The data breach is reflective of an insider threat. This is a type of threat that comes from within an organization – whether it’s an employee, former employee, contractor or otherwise. Insider threats can be non-malicious – such as a mistake by an employee (like a cloud misconfiguration) that leads personal data being exposed, for instance. Or, as in this incident, they can be malicious, where an employee purposefully gives access (or is persuaded to give access) to internal systems or records.

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), internal actors were behind 30 percent of breaches (with the majority, or 70 percent, coming from external actors).

Insider Threats Have Plagued ADT, Cisco and Amazon
An insider threat could leave companies spiraling from financial or brand damage – but also a lack of subsequent trust from customers.

In a recent January case, for instance, a former ADT employee was caught adding his personal email address to the accounts of attractive women, so he could have around-the-clock access to their most private moments.

In December, a former Cisco Systems employee was sentenced to two years in jail, after hacking into the networking company’s cloud infrastructure and deleting 16,000 Webex Teams accounts in 2018. And in October, Amazon fired an employee who shared customers’ names and email addresses with a third party.

Brandon Hoffman, chief information security officer at Netenrich, said this incident highlights the ongoing concern related to insider threats.

“Employees are always a prime target for adversaries, whether it is targeting them to leverage their machine or identity or recruiting them actively on a closed source (dark web) forum,” said Hoffman. “There has been several cases where we have seen a disgruntled employee posting messages on the dark web aiming to make a contact where they can ‘cash out’ their leverage as an employee. Considering this happened in Russia, a known hotspot (or even the primary hub) of cybercrime, the fact that it was an intentional insider is not all that surprising.”