Gravy Analytics, a data broker, has reported a significant data breach that occurred earlier this month, compromising the exact location data of millions of users of both iPhone and Android devices. This incident arose from unauthorized access to the AWS cloud storage environment of its parent company, Unacast, as indicated in a report by TechCrunch.
The full magnitude of this breach is still being assessed, but reports suggest that the alleged hacker has already disseminated a substantial sample of location data traced from several popular consumer apps, including those focused on fitness and health, dating, transportation, and major mobile games. This data encompasses tens of millions of location data points, revealing where individuals have visited, resided, worked, and traveled.
According to 404Media, hackers assert they have compiled customer lists alongside the sensitive location data, detailing the precise movements of millions of users. Some information has been shared in private online forums, raising further concerns about the extent of the breach.
Baptiste Robert, CEO of Predicta Lab, a digital security firm, has obtained a copy of the leaked data, which reportedly includes information about several high-profile locations such as the White House, Kremlin, Vatican, military installations, and other critical spots globally. This highlights the severity and potential implications of the exposed data.
In December, the United States Federal Trade Commission (FTC) took action against Gravy Analytics and its subsidiary Venntel, prohibiting them from selling or sharing location data associated with any applications or services. The FTC concluded that the companies had compromised consumer privacy, potentially exposing users’ sensitive information, such as health data and personal beliefs, which could lead to discrimination and other harms.
As part of the FTC’s order, Gravy Analytics was mandated to delete all location data and associated products developed from information gathered without user consent. However, it is likely that these databases had already suffered a breach prior to the order’s enforcement.
Gravy Analytics sources a significant portion of its location data through a process known as real-time bidding, which takes place during rapid auctions determining which advertisements are displayed on users’ devices. During these auctions, advertisers gained access to a wealth of user device information, including the device make and model, IP addresses that can approximate a user’s location, and even more precise location data if access permissions were granted by the app user.
The breached Gravy Analytics database contained location data from numerous applications, including well-known platforms such as Grindr and Tinder, heightening concerns about consumer privacy and data security. Business owners should take heed of this incident, adopting measures to enhance their own cybersecurity practices, especially regarding data handling and compliance.
To mitigate the risk of falling victim to similar breaches, individuals are encouraged to disable app tracking on their devices. This can be accomplished by navigating to the settings on an iPhone and turning off app tracking, which could help protect personal location information from unauthorized access.
