Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A hack and data breach at location data broker Gravy Analytics threatens the privacy of millions of people around the world, whose smartphone apps have inadvertently revealed their location data collected by the data giant.
The full scale of the data breach is not yet known, but the alleged hacker has already released a large sample of location data from leading consumer mobile apps – including fitness and health, dating and transit apps , as well as popular games. The data represents tens of millions of location data points where people have been, live, work and travel between.
News of the breach broke last weekend after a hacker posted screenshots of location data on a closed-access Russian-language cybercrime forum, saying they had stolen several terabytes of consumer data from Gravy Analytics. Independent news 404 Average first reported the forum post alleging the apparent breach, which it claimed included the historical location data of millions of smartphones.
Norwegian broadcaster NRK reported on January 11 that Unacast, the parent company of Gravy Analytics, disclosed the breach with the country’s data protection authority as required by its law.
Unacast, founded in Norway in 2004, merges with Gravy Analytics in 2023 to create what he said at the time as “one of the largest” collections of consumer location data. Gravy Analytics claims to track more than a billion devices worldwide every day.
In their data breach notice filed in Norway, Unacast said it identified on January 4 that a hacker acquired files from its Amazon cloud environment through a “misappropriated key.” Unacast said it was informed of the breach through communication with the hacker, but the company did not provide further details. The company said its operations were briefly offline after the breach.
Unacast said in the notice that it has also notified the UK data protection authority of the breach. A spokesperson for the UK Information Commissioner’s Office did not immediately comment on Monday when reached by TechCrunch.
Unacast executives Jeff White and Thomas Walle did not return multiple emails from TechCrunch this week seeking comment. In a statement not attributed to a generic Gravy Analytics email account sent to TechCrunch On Sunday, Unacast acknowledged the breach, saying its “investigation remains ongoing.”
The Gravy Analytics website was still down at the time of writing. Several other domains associated with Gravy Analytics also appear to be non-functional, according to TechCrunch’s checks over the past week.
30 million location data points leaked so far
Data privacy advocates have long warned of the risks that data brokers pose to individuals’ privacy and national security. Researchers with access to the sample Gravy Analytics location data released by the hacker say the information can be used to broadly track people’s recent location.
Baptiste Robert, the CEO of digital security firm Predicta Lab which obtained a copy of the leaked dataset, said in a thread on X that data set contains more than 30 million location data points. These include devices located at the White House in Washington DC; the Kremlin in Moscow; Vatican City; and military bases around the world. One of the cards shared by Robert it showed the location data of Tinder users throughout the UK. In another placeRobert demonstrated that it was possible to identify people likely to serve as military personnel by overlaying the stolen location data with the locations of known Russian military facilities.
Robert warned that the data also allow easy deanonymization of ordinary individuals; in one example, the data tracked a person as he traveled from New York to his home in Tennessee. Forbes informed about the dangers that the dataset has for LGBTQ + users, whose location data derived from certain apps could identify them in countries that criminalize homosexuality.
News of the breach comes weeks later the Federal Trade Commission prohibited Gravy Analytics and its subsidiary Venntel, which provide location data to government agencies and law enforcement, from collecting and selling Americans’ location data without consumer consent . The FTC accused the company of illegally tracking millions of people in sensitive locations, such as health clinics and military bases.
Location data used by advertising networks
Gravy Analytics sources much of its location data from a process called real-time biddinga key part of the online advertising industry that determines during a millisecond auction that the advertiser gets their ad to your device.
During that near-instant auction, all bidders can see some information about your device, such as the manufacturer and model type, its IP addresses (which can be used to infer the approximate location of a person), and in some cases, more. accurate location data if granted by the app user, along with other technical factors that help determine which ad a user will be shown.
But as a byproduct of this process, any advertiser who bids – or anyone who closely monitors these auctions – can also access that trove of data called “bidstream” which contains device information. Data brokers, including those that sell to governments, can combine the information they collect with other data about those individuals from other sources to paint a detailed picture of someone’s life and location.
Analysis of location data by security researchers, including the said Lab’s Robertreveals thousands of ad display apps have shared, often unknowingly, bidstream data with data brokers.
The data set contains data derived from popular Android and iPhone apps, including FlightRadar, Grindr and Tinder – all of which have denied any direct commercial links to Gravy Analytics, but acknowledge the display of advertisements. But from the nature of the operation of the advertising industry, it is possible that the advertising service applications have collected the data of their users while they are not explicitly aware or consented.
As noticed by 404 Mediait is not clear how Gravy Analytics derived its massive troves of location data, such as whether the company collected the data itself or from other data brokers. 404 Media found that a large amount of location data was inferred from the IP address of the owner of the device, which is geolocated to approximate its location in the real world, rather than relying on the owner of the device which allows the app to access the exact GPS coordinates of the device.
What you can do to prevent ad tracking
In order digital rights group Electronic Frontier FoundationAdvertising auctions happen on almost all websites, but there are steps you can take to protect yourself from advertising surveillance.
Using an ad-blocker – or a mobile content blocker – can be a effective defense against ad monitoring blocks the ad code from loading on websites in the user’s browser to begin with.
Android and iPhone devices are also baked in device-level features that make it harder for advertisers to track you between apps or on the web, and link your pseudonymous device data to your real identity . The EFF also has one good guide how to check these device parameters.
If you have an Apple device, you can go to the “Tracking” option in your Settings turn off the setting for app requests to track. This zeros out your device’s unique identifier, making it indistinguishable from anyone else’s.
“If you turn off app tracking, your data isn’t shared,” Robert told TechCrunch.
Android users should go to the “Privacy” section after “Ads” of their phone’s settings. If the option is available, you can delete your advertising ID to prevent any app on your phone from accessing your unique device identifier in the future. Those without this setting should still regularly reset their advertising IDs.
Preventing apps from accessing your precise location when not needed will also help reduce your data footprint.
