News of the day: SMS histories of subscribers of Megafon, one of the largest Russian mobile operators with a 57 million+ user database, have been leaked. Thousands of messages are now available online, causing a major nationwide scandal. Another company that may have been involved in the scandal is Yandex, the largest national search engine, which may have indexed either some classified stored items or SMS messages sent from users’ computers. Update: Yandex has already removed the link to the leaked SMS histories from their search queries.
The real causes of this epic fail are “still unknown and currently under investigation”. At least, this is what Megafon and Yandex officials are saying at the mo. Can’t wait for the whole picture!
We think the following may have caused the incident:
- An incorrectly configured Megafon website, which allowed Yandex crawlers to index unprotected internal stored items. However, Google doesn’t have the same data in its search results, which makes us doubt this scenario. And I can’t imagine that Yandex crawlers are smart (or stupid) enough to brute-force webpages;
- Access to the webpages with the SMS messages and their indexation was made possible by Megafon subscribers using the Yandex.Bar plug-in in their browsers; or
- The Yandex.Metrika tool on the Megafon website was installed incorrectly, which caused classified data to be available for indexation.
It’s hard to say who is at fault in this issue (let’s see what the official results say). However, this is a major breach of the Russian Federal Law on Personal Data Protection and a bunch of other state regulations, which may mean the offensive party will face legal prosecution and substantial penalties.
Update: Yandex officials have said Megafon admins deleted the robots.txt exposing the web page with the online SMS service to web crawlers. Amazing…