Key Takeaways:
- The data breach has affected thousands of widely used apps like Tinder, AccuWeather, CapCut, and more.
- The stolen data was harvested through real-time bidding (RTB) networks, hinting that app developers were unaware of their users' data being collected.
- Cybersecurity experts are advising businesses to re-evaluate their relationships with third-party data brokers.
Gravy Analytics, a leading location data broker, suffered a data breach that unveiled millions of users' sensitive location information, sourced from thousands of popular mobile apps, including Tinder, Candy Crush, and MyFitnessPal.
The data, allegedly harvested through the online advertising ecosystem, highlights the growing privacy concerns surrounding location tracking and the role of data brokers, with far-reaching implications for both consumers and businesses.
The exposed files reveal tens of millions of mobile phone coordinates across the US, Russia, and Europe, linked to widely used apps.
Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.
— Baptiste Robert (@fs0c131y) January 8, 2025
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
It's OSINT time! 👇 pic.twitter.com/sVlEEgEFcF
Aside from the aforementioned apps, the data breach has also affected religious prayer apps, pregnancy apps, transit apps and more.
A full list of the apps affected has been released.
Shockingly, much of the location data was harvested not through embedded tracking code but through the real-time bidding (RTB) process in digital advertising. This suggests many app developers were unaware their users’ information was being collected.
Gravy Analytics sources its data from various providers, including RTB networks where ad companies silently harvest users' location.
Zach Edwards, senior threat analyst at Silent Push, described the situation as “a nightmare scenario for privacy.”
“Not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards adds.
Many of the affected apps did not knowingly consent to share users’ location data with the company.
Notably, some apps on the list have had past issues with data sharing, though they denied involvement in Gravy's data harvesting.
How Does This Affect Businesses?
This breach has far-reaching implications for businesses.
Gravy Analytics and its subsidiary Venntel provide location data to both commercial clients and U.S. government agencies like the IRS, FBI, and Immigration and Customs Enforcement (ICE).
This reveals the significant role location data plays in various sectors, from targeted advertising to surveillance and law enforcement.
The collection method through RTB platforms has raised privacy concerns, especially as apps may not be aware that their users' information is being harvested via third-party ad networks.
This has opened the door for surveillance companies to infiltrate app ecosystems, effectively sidestepping user consent requirements.
Further complicating matters, the Federal Trade Commission (FTC) has already cracked down on location data brokers, including Venntel, for selling sensitive information without user consent.
This breach marks a new chapter in understanding how deeply location tracking is embedded within the advertising and surveillance industries.
As the breach continues to unfold, cybersecurity experts are advising businesses to re-evaluate their relationships with third-party data brokers and reconsider privacy standards.
Several companies have distanced themselves from Gravy Analytics, but the long-term consequences for businesses involved in location data collection remain to be seen.
The breach highlights the urgent need for stronger data protection measures to safeguard consumer privacy across both commercial and government sectors. This is especially important given the steep rise in cyberattacks over the last few years.
Recently, IT and cloud consulting firm BlueGrid launched its Security Operations Center (SOC) as a service protecting IT environments from cyberattacks.
