We’re no strangers to apps collecting our data, but what happens when that data is weaponized? In a chilling turn of events, hackers have breached a firm that aggregates location data from thousands of apps. The attackers are threatening to publicly release sensitive information, including customer lists, industry details, and historical location data sourced from millions of smartphones.
Data Breach Affects Millions
According to 404Media, the hackers claim that the breach affects “personal data of millions of users” and have issued a 24-hour ultimatum to Gravy Analytics, the company at the center of the controversy. Gravy Analytics, along with its subsidiary Venntel, has previously come under scrutiny for selling location data to the U.S. government for use in operations such as immigration enforcement.
Apps Involved in Data Collection
Gravy Analytics reportedly obtained location data from thousands of popular apps, including well-known names like:
- Candy Crush
- Tinder
- Grindr
- Microsoft Outlook
- My Period Calendar & Tracker
- MyFitnessPal
- MyAnimeList
- Goat Simulator
- Bloons TD Battles
It remains unclear whether all the data was directly sourced by Gravy Analytics or acquired from third-party data brokers. While the exact timeline for the data collection is unknown, some clues suggest it could be recent—for instance, references to Call of Duty Mobile: Season 5, which began in May 2024.
How the Data Was Collected
The breach appears to involve data collected via real-time bidding (RTB), a common method in digital advertising. Through RTB, advertisers gain access to data like device identifiers and IP addresses, often without the app publishers’ knowledge of how their users’ data is being utilized.
Expert Warnings and Risks
Privacy advocates have long warned about the dangers of location data brokers being compromised. Zach Edwards, senior threat analyst at Silent Push, called the breach a “nightmare scenario.” Edwards emphasized the risks of deanonymization, which could expose individuals visiting sensitive locations such as abortion clinics, government facilities, or places linked to their sexual orientation or other protected traits.
“This data has been sold for years to corporate and government entities, but widespread access to this information by malicious actors poses significant threats,” Edwards said. He further noted the potential for misuse if such data becomes available on underground markets.
Precise vs. Coarse Data Collection
While some of the leaked data appears to be derived from IP-based coarse location tracking, apps requesting precise location permissions could have been exploited. Krzysztof Franaszek, founder of digital forensics firm Adalytics, highlighted that user agents in the data include references to Google’s Mobile Ads SDK, suggesting potential links to advertising tools.
Denials and Unanswered Questions
Some of the implicated apps, including Tinder and Grindr, denied any connection to Gravy Analytics and stated that they had no evidence their platforms were involved in data collection for the firm. This raises further questions about how Gravy Analytics acquired such extensive data.
What’s Next?
If hackers follow through with their threat to release the stolen data, it could have far-reaching consequences for privacy and security. This incident serves as a stark reminder of the risks tied to the location data industry, where personal information is routinely collected, sold, and now, potentially exposed to the public.
For individuals, this breach underscores the importance of reviewing app permissions, minimizing location tracking, and staying informed about how personal data is handled. As cybersecurity experts warn, this may be the first major breach of a location data broker—but it is unlikely to be the last.
English