A hack and data breach at location data broker Gravy Analytics threatens the privacy of millions of people around the world, with smartphone apps disclosing location information collected by the data giant. It will be published soon.
Although the full scale of the data breach is not yet clear, the alleged hackers have already collected large amounts of location data from major consumer phone apps, including fitness, health, dating, and transportation apps, as well as popular games. A large sample has been published. This data represents tens of millions of location data points that show where people have been, where they live, work, and move.
News of the breach broke over the weekend, when hackers posted screenshots of location data on a closed-access Russian-language cybercrime forum and claimed to have stolen terabytes of consumer data from Gravy Analytics. Independent news outlet 404 Media first reported a forum post alleging an apparent breach, claiming it contained historical location data from millions of smartphones.
Norwegian broadcaster NRK reported on January 11 that Gravy Analytics' parent company Unacast disclosed the breach to the country's data protection authority as required by law.
Founded in Norway in 2004, Unacast merged with Gravy Analytics in 2023 to create what it touted at the time was “one of the largest” collections of consumer location data. Gravy Analytics claims to track over 1 billion devices around the world every day.
In a data breach notification filed with Norway, Unacast said it identified on January 4 that hackers obtained files from Amazon's cloud environment through a “compromised key.” Unacast said it became aware of the breach through communications with the hackers, but the company did not provide further details. The company said its operations were temporarily suspended following the breach.
Unacast said in its notice that it had also notified UK data protection authorities of the breach. A spokesperson for the UK Information Commissioner's Office did not immediately comment to TechCrunch on Monday.
Unacast executives Jeff White and Thomas Walle did not respond to multiple emails seeking comment from TechCrunch this week. In an unidentified statement from a common Gravy Analytics email account sent to TechCrunch on Sunday, Unacast acknowledged the breach and said the “investigation is ongoing.”
The Gravy Analytics website was still down at the time of this writing. Several other domains related to Gravy Analytics also appear to be defunct, according to an investigation by TechCrunch over the past week.
30 million location information data have been leaked so far
Data privacy advocates have long warned about the risks data brokers pose to personal privacy and national security. Researchers with access to samples of Gravy Analytics location data posted by hackers say the information could be used to broadly track people's recent whereabouts.
Baptiste Robert, CEO of digital security company Predicta Labs, which obtained a copy of the leaked dataset, said in the X thread that the dataset contains more than 30 million location data points. said. These included devices located at the White House in Washington, DC. Moscow Kremlin. Vatican City; and military bases around the world. One of the maps Robert shared showed location data for Tinder users across the UK. In another post, Robert showed that by overlaying stolen location data with the locations of known Russian military facilities, it is possible to identify individuals who may be serving in the military. Ta.
A map showing Tinder users located across the UK. Image credit: Baptiste Robert / X
Robert warned that this data also makes it easy to anonymize the public. In one example, data tracked a person traveling from New York to his home in Tennessee. Forbes reported on the risks this dataset poses to LGBTQ+ users, as location data from certain apps can potentially identify LGBTQ+ users in countries where homosexuality is a crime.
News of the data breach comes as the Federal Trade Commission has ordered Gravy Analytics and its subsidiary Ventel, which provides location data to government and law enforcement agencies, to collect location data on Americans without consumers' consent. The announcement came weeks after the ban on sales. The FTC accused the company of illegally tracking millions of people to sensitive locations such as clinics and military bases.
Location data obtained from advertising networks
Gravy Analytics obtains much of its location data from a process called real-time bidding. Real-time bidding is a key part of the online advertising industry, determining which advertisers can serve ads to your device during short millisecond auctions.
During the near-instantaneous auction, any advertiser who bids can see information about the device, such as make and model type, IP address (which can be used to infer a person's approximate location), and in some cases other information. You can also check the information. Precise location data, if the app user allows it, and other technical factors that help determine which advertisements are shown to the user.
But as a byproduct of this process, advertisers who bid, or those who closely monitor these auctions, will also have access to a treasure trove of so-called “bidstream” data, including device information. Data brokers, including those who sell to governments, can combine the information they collect with other data about an individual from other sources to paint a detailed picture of someone's life and whereabouts.
Analysis of location data by security researchers, including Predicta Lab's Robert, reveals that thousands of ad-display apps share bidstream data with data brokers, often unknowingly. .
This dataset includes data from popular Android and iPhone apps such as FlightRadar, Grindr, and Tinder. All of these deny any direct business relationship with Gravy Analytics, but do acknowledge displaying ads. However, due to the nature of how the advertising industry works, ad-serving apps may collect your data without your explicit knowledge or consent.
As 404 Media pointed out, it's unclear how Gravy Analytics obtained the large amount of location data, such as whether the company collected the data itself or from other data brokers. 404 Media found that instead of relying on the device owner to give the app access to the device's precise GPS coordinates, large amounts of location data were inferred from the device owner's IP address. The device owner's IP address is localized to approximate its real-world location.
What you can do to prevent ad monitoring
Ad auctions are happening on nearly every website, but there are steps you can take to protect yourself from ad scrutiny, according to the Electronic Frontier Foundation, a digital rights organization.
Ad blockers (or mobile-level content blockers) provide an effective defense against ad monitoring by blocking ad code from loading onto websites on users' browsers in the first place.
Android devices and iPhones also include device-level features that make it more difficult for advertisers to track users across apps or across the web and link pseudonymous device data to real-world identities. EFF also has a great guide on how to check these device settings.
If you have an Apple device, you can turn off tracking of app requests by going to the Tracking option in Settings. This reduces the device's unique identifier to zero, making it indistinguishable from other devices.
“If you disable app tracking, your data will not be shared,” Robert told TechCrunch.
Android users should go to the “Privacy”, “Advertising” section of their phone's settings. If this option is available, you can remove the advertising ID to prevent apps on your phone from accessing your device's unique identifier in the future. Even if you don't do this, you should reset your advertising ID periodically.
Preventing apps from accessing your precise location when not needed also helps reduce your data footprint.