Megafail: Russian Mobile Operator Leaks Users’ SMS Histories.

News of the day: SMS histories of subscribers of Megafon, one of the largest Russian mobile operators with a 57 million+ user database, have been leaked. Thousands of messages are now available online, causing a major nationwide scandal. Another company that may have been involved in the scandal is Yandex, the largest national search engine, which may have indexed either some classified stored items or SMS messages sent from users’ computers. Update: Yandex has already removed the link to the leaked SMS histories from their search queries.

The real causes of this epic fail are “still unknown and currently under investigation”. At least, this is what Megafon and Yandex officials are saying at the mo. Can’t wait for the whole picture!

We think the following may have caused the incident:

  • An incorrectly configured Megafon website, which allowed Yandex crawlers to index unprotected internal stored items. However, Google doesn’t have the same data in its search results, which makes us doubt this scenario. And I can’t imagine that Yandex crawlers are smart (or stupid) enough to brute-force webpages;
  • Access to the webpages with the SMS messages and their indexation was made possible by Megafon subscribers using the Yandex.Bar plug-in in their browsers; or
  • The Yandex.Metrika tool on the Megafon website was installed incorrectly, which caused classified data to be available for indexation.

It’s hard to say who is at fault in this issue (let’s see what the official results say). However, this is a major breach of the Russian Federal Law on Personal Data Protection and a bunch of other state regulations, which may mean the offensive party will face legal prosecution and substantial penalties.

Update: Yandex officials have said Megafon admins deleted the robots.txt exposing the web page with the online SMS service to web crawlers. Amazing…

Comments 7 Leave a note


    Eugene, unlikely to be breach in Federal Law for Personal Data Protection – it procects only User identity – in this case only phone numbers were visible, wich are out of the scope,
    But no question Megafon sustained a breach in user confidence and trust here,


    “Yandex officials have said Megafon admins deleted the robots.txt exposing the web page with the online SMS service to web crawlers. Amazing…”

    So — just so I get it right: The only defence against massive download of text message data was a robots.txt file? Yeah, they really thought their security system through, I daresay. ;)


    Agree that’s really weird to see this sort of “protection” for sensitive data. Till now we have no comments from Megafon..

    shoulder length haircuts

    I don’t disagree with this post!

    kaspersky internet security 2012

    I used to have Norton 360. It would ask if you wanted them to remember your passwords & other online information , and automatically fill them in for you if you ever used the same site again. Does Kaspersky 2010 Internet Security have this feature? What do they have? And how do you used it?


    Please, refer to Kaspersky Password Manager for this purpose

    real hcg canada

    Hi there, i read your blog from time to time
    and i own a similar one and i was just curious if you get a lot of spam responses?
    If so how do you stop it, any plugin or anything you can advise?
    I get so much lately it’s driving me crazy so any help is very much appreciated.

Trackbacks 8

MegaFon Leaks Confidential SMS Messages

Datenleck bei russischem Provider: 8.000 SMS online einsehbar – NETZWELT

Hacking, and Arresting, and Suing, and Legislation! Oh my! | Game & Tech :: Latest Game And Tech News from all Around The World

Worse than Cheese: Scary Scenarios Causing Nightmares Now – the Five Main Issues of IT Security. | Nota Bene

Più fastidioso dell’odore del gorgonzola: Gli scenari pericolosi possono provocare degli incubi. I Cinque Principali Casi di Sicurezza Informatica. | Nota Bene

Pire que l’odeur du Fromage : Et Maintenant, les Effrayants Scénarios qui Provoquent des Cauchemars – les Cinq Questions Principales sur la Sécurité IT. | Nota Bene

Casos e Historias de Miedo que Causan Pesadillas – las Cinco Cuestiones Principales de la Seguridad IT | Nota Bene

Fraudsters Defeat Poor Risk Management – Not Two-Factor Authentication |

Leave a note