Yandex Employee Caught Selling Access to Users’ Email Inboxes
Russian Dutch-domiciled search engine, ride-hailing and email service provider Yandex on Friday disclosed a data breach that compromised 4,887 email accounts of its users.
The company blamed the incident on an unnamed employee who had been providing unauthorized access to the users’ mailboxes for personal gain.
“The employee was one of three system administrators with the necessary access rights to provide technical support for the service,” Yandex said in a statement.
The company said the security breach was identified during a routine audit of its systems by its security team. It also said there was no evidence that user payment details were compromised during the incident and that it had notified affected mailbox owners to change their passwords.
It’s not immediately clear when the breach occurred or when the employee began offering unauthorized access to third-parties.
“A thorough internal investigation of the incident is under way, and Yandex will be making changes to administrative access procedures,” the company said. “This will help minimize the potential for individuals to compromise the security of user data in future. The company has also contacted law enforcement.”
Insider Threats Continue to Hit Companies
This is not the first time insider threats have plagued tech companies and resulted in financial or reputational damage.
Last month, Telesforo Aviles, a 35-year-old former Dallas-based ADT technician, pled guilty to computer fraud and invasive visual recording for repeatedly breaking into cameras he installed and viewed customers engaging in sex and other intimate acts. He was terminated from the firm in April 2020.
In December, former Cisco engineer Sudhish Kasaba Ramesh, 31, was sentenced to 24 months in prison for deleting 16,000 Webex accounts without authorization, costing the company more than $2.4 million, with $1,400,000 in employee time and $1,000,000 in customer refunds.
In October last year, Amazon fired an employee for sharing customers’ names and email addresses with a third-party.
And in November 2019, cybersecurity firm Trend Micro revealed that a rogue employee sold the data of 68,000 customers to malicious cybercriminals, who then used that data to target customers with scam calls by posing as Trend Micro support personnel.