A hack and data breach at location data broker Gravy Analytics is threatening the privacy of millions of people around the world, whose smartphone apps unwittingly revealed their location data collected by the data giant.
The full scale of the data breach isn’t yet known, but the alleged hacker has already published a large sample of location data from top consumer phone apps — including fitness and health, dating, and transit apps, as well as popular games. The data represents tens of millions of location data points of where people have been, live, work, and travel between.
News of the breach broke last weekend after a hacker posted screenshots of location data on a closed-access Russian language cybercrime forum, claiming they had stolen several terabytes of consumers’ data from Gravy Analytics. Independent news outlet 404 Media first reported the forum post alleging the apparent breach, which claimed to include the historical location data of millions of smartphones.
Norwegian broadcaster NRK reported on January 11 that Unacast, the parent company of Gravy Analytics, disclosed the breach with the country’s data protection authorities as required under its law.
Unacast, founded in Norway in 2004, merged with Gravy Analytics in 2023 to create what it touted at the time as “one of the largest” collections of consumers’ location data. Gravy Analytics claims to track more than a billion devices around the world daily.
In its data breach notice filed with Norway, Unacast said it identified on January 4 that a hacker acquired files from its Amazon cloud environment through a “misappropriated key.” Unacast said it was made aware of the breach through communication with the hacker, but the company gave no further details. The company said its operations were briefly taken offline following the breach.
Unacast said in the notice that it also notified U.K. data protection authorities of the breach. A spokesperson for the U.K.’s Information Commissioner’s Office did not immediately comment Monday when reached by TechCrunch.
Unacast executives Jeff White and Thomas Walle did not return multiple emails from TechCrunch this week requesting comment. In an unattributed statement from a generic Gravy Analytics email account sent to TechCrunch on Sunday, Unacast acknowledged the breach, saying that its “investigation remains ongoing.”
Gravy Analytics’ website was still down at the time of writing. Several other domains associated with Gravy Analytics also appeared to be non-functional, according to checks by TechCrunch over the past week.
30 million location data points leaked so far
Data privacy advocates have long warned of the risks that data brokers pose to individuals’ privacy and national security. Researchers with access to the sample of Gravy Analytics’ location data posted by the hacker say that the information can be used to extensively track people’s recent whereabouts.
Baptiste Robert, the CEO of digital security firm Predicta Lab who obtained a copy of the leaked dataset, said in a thread on X that the data set contained more than 30 million location data points. These included devices located at The White House in Washington D.C.; the Kremlin in Moscow; Vatican City; and military bases around the world. One of the maps shared by Robert showed the location data of Tinder users across the United Kingdom. In another post, Robert showed it was possible to identify individuals likely serving as military personnel by overlapping the stolen location data with the locations of known Russian military facilities.
Robert warned that the data also allows for easy deanonymization of ordinary individuals; in one example, the data tracked a person as they traveled from New York to their home in Tennessee. Forbes reported about the dangers that the dataset has for LGBTQ+ users, whose location data derived from certain apps could identify them in countries that criminalize homosexuality.
News of the breach comes weeks after the Federal Trade Commission banned Gravy Analytics and its subsidiary Venntel, which provides location data to government agencies and law enforcement, from collecting and selling Americans’ location data without consumers’ consent. The FTC accused the company of unlawfully tracking millions of people to sensitive locations, like healthcare clinics and military bases.
Location data tapped from ad networks
Gravy Analytics sources much of its location data from a process called real-time bidding, a key part of the online advertising industry that determines during a milliseconds-short auction which advertiser gets to deliver their ad to your device.
During that near-instant auction, all of the bidding advertisers can see some information about your device, such as the maker and model type, its IP addresses (which can be used to infer a person’s approximate location), and in some cases, more precise location data if granted by the app user, along with other technical factors that help determine which ad a user will be displayed.
But as a byproduct of this process, any advertiser that bids — or anyone closely monitoring these auctions — can also access that trove of so-called “bidstream” data containing device information. Data brokers, including those who sell to governments, can combine that collected information with other data about those individuals from other sources to paint a detailed picture of someone’s life and whereabouts.
Analyses of the location data by security researchers, including Predicta Lab’s Robert, reveal thousands of ad-displaying apps that have shared, often unknowingly, bidstream data with data brokers.
The data set contains data derived from popular Android and iPhone apps, including FlightRadar, Grindr, and Tinder — all of which have denied any direct business links to Gravy Analytics but acknowledged displaying ads. But by the nature of how the advertising industry works, it is both possible for ad-serving apps to have their users’ data collected while also not explicitly knowing about or agreeing to it.
As noted by 404 Media, it is unclear how Gravy Analytics derived its massive troves of location data, such as whether the company collected the data itself or from other data brokers. 404 Media found that large amounts of the location data was inferred from the device owner’s IP address, which is geolocated to approximate their real-world location, rather than relying on the device owner allowing the app to access the device’s precise GPS coordinates.
What you can do to prevent ad surveillance
Per digital rights group Electronic Frontier Foundation, ad auctions happen on nearly every website, but there are measures you can take to protect yourself from advertising surveillance.
Using an ad-blocker — or mobile-level content blocker — can be an effective defense against ad surveillance by blocking the ad code from loading on websites in the user’s browser to begin with.
Android devices and iPhones also bake in device-level features that make it more difficult for advertisers to track you between apps or across the web, and link your pseudonymous device data to your real-world identity. The EFF also has a good guide on how to check these device settings.
If you have an Apple device, you can go to the “Tracking” options in your Settings and switch off the setting for app requests to track. This zeroes out your device’s unique identifier, making it indistinguishable from anyone else’s.
“If you disable the app tracking, your data has not been shared,” Robert told TechCrunch.
Android users should go to the “Privacy” then “Ads” section of their phone’s settings. If the option is available, you can delete your advertising ID to prevent any app on your phone accessing your device’s unique identifier in the future. Those without this setting should still regularly reset their advertising IDs.
Preventing apps from accessing your precise location when it’s not required will also help reduce your data footprint.