Yandex

Yandex comments on cybersecurity incident

January 31, 2023 – Yandex N.V. (NASDAQ: YNDX), the Dutch parent company of the Yandex Group  confirms that certain fragments of its program code have been discovered in the public domain. Among the information that was leaked was code relating to a number of Yandex services.

The company is taking this matter extremely seriously and has initiated a thorough investigation into the cause, content and implications of the leak. As of today, Yandex has found no evidence that personal information of its users or the performance of its services have been impacted. The company also notes that the published fragments of the code are outdated and differ from the version currently used by its services, while some of the published fragments were never actually used in operations.

At the same time, the preliminary investigation has surfaced a number of violations of Yandex’s own internal policies in the code, including a violation of Yandex’s Principles and Code of Business Ethics & Conduct. In addition, the investigation has uncovered certain adverse consequences of the company’s Zero Bug Policy (a framework of zero tolerance for bugs, which has been in place in the company for many years), which in some cases led to temporary manual solutions being introduced over automated processes and algorithms to fix an identified problem. Examples include the following:  

●      The code contained the contact details of some service partners, which should have been stored separately. For example, in certain cases, the contacts and license numbers of taxi drivers were transferred from one taxi company to another.

●      In the Yandex Lavka code, it was possible to manually set up recommendations for any product without clarifying that it was an ad.

●      Issues were identified in search resulting in part from manual attempts to fix bugs in the service or to resolve problems with the algorithms (e.g., manual improvements of filtering criteria to eliminate inappropriate content such as child pornography, and insulting or offensive remarks). 

●      Some parts of the code contained racial slurs. While they didn’t affect the operation of the relevant services in any way, they were nevertheless deeply offensive and completely unacceptable.

Many of these and other issues which came to light following the code leak have already been fixed or are in the process of being fixed.

The company takes principles such as integrity, transparency, a lack of bias and providing a safe digital environment extremely seriously and acknowledges a failure in management systems and oversight which prevented the issues described above from being prevented or detected earlier.

Based on the results of the investigation, the company will take all possible measures to strengthen its policies and enforce greater effectiveness of its management and oversight systems to ensure such issues are not repeated.

Yandex apologizes to everyone affected by this situation.

IPJSC “Yandex”

Head office in Russia: Moscow

Head office
16, Leo Tolstoy St., Moscow, Russia 119021
Investor Relations
Public Relations
Corporate Secretary