A breach of a data broker’s trove of location data threatens the privacy of millions

A hack and data breach at location data broker Gravy Analytics threatened the privacy of millions of people around the world, whose smartphone apps unwittingly exposed their location data collected by the data giant.

The full scale of the data breach is not yet known, but the alleged hacker has already released a large sample of location data from top consumer phone apps — including fitness and health, dating and transit apps, as well as popular games. The data represents millions of location data points about where people have been, live, work and travel between.

News of the breach broke last weekend when a hacker posted screenshots of location data on a closed-access Russian-language cybercrime forum, claiming they had stolen several terabytes of customer data from Gravy Analytics. Independent news outlet 404 media First reported on the alleged breach in a forum post, which claimed to include the historical location data of millions of smartphones.

Norwegian broadcaster NRK reported on January 11 that Uncast, the parent company of Gravy Analytics, Violation disclosed with the country’s data protection authority as required under its law.

Uncast, founded in Norway in 2004, merged with Gravy Analytics In 2023 to create what it said at the time was “one of the largest” collections of consumer location data. Gravy Analytics claims to track more than a billion devices worldwide every day.

In Notification of Data Breach Uncast, which filed in Norway, said it detected on Jan. 4 that a hacker had obtained files from its Amazon cloud environment through a “misapplied key.” Uncast said it became aware of the breach through contact with the hacker, but the company did not provide any further details. The company said its operations were briefly taken offline after the breach.

Unacast said in the notice that it has also notified the UK data protection authority about the breach. A spokesperson for the UK Information Commissioner’s Office did not immediately comment on Monday when reached by TechCrunch.

Unacast executives Jeff White and Thomas Wall did not return multiple emails requesting comment from TechCrunch this week. In an inappropriate statement from a generic Gravy Analytics email account Submitted to TechCrunch On Sunday, Uncast acknowledged the breach, saying its “investigation is ongoing.”

Gravy Analytics’ website was still down at the time of writing. According to TechCrunch’s check last week, several other domains associated with Gravy Analytics also appeared to be inactive.

30 million location data points have been leaked so far

Data privacy advocates have long warned of the risks that data brokers pose to individuals’ privacy and national security. Researchers with access to a sample of Gravy Analytics’ location data posted by the hacker say the information could be used to broadly track people’s recent locations.

Baptiste Robert, CEO of digital security firm Predicta Labs, which obtained a copy of the leaked dataset, said in a Thread on x The data set contains more than 30 million location data points These include devices located at the White House in Washington DC; Moscow Kremlin; Vatican City; and military bases around the world. One of the maps shared by Robert Tinder shows users’ location data across the UK. In Another postRobert demonstrated that by overlapping stolen location data with the locations of known Russian military facilities, it was possible to identify individuals acting as military personnel.

Robert cautioned that the data allowed simple naming of the common person; In one example, the data tracked a person as they traveled from New York to their home in Tennessee. Forbes Report about danger The dataset includes LGBTQ+ users, whose location data from certain apps can identify them in countries that criminalize homosexuality.

News of the breach came weeks later Federal Trade Commission Prohibited Gravy Analytics and its subsidiary Ventel, which provide location data to government agencies and law enforcement, have stopped collecting and selling Americans’ location data without consumer consent. The FTC accused the company of illegally tracking millions of people in sensitive locations like health care clinics and military bases.

Location data tapped from ad networks

Sources most of its location data from Gravy Analytics A process called real-time biddingA key part of the online advertising industry is the millisecond-short auction time that advertisers decide to deliver their ads to your device.

During that near-instant auction, all bidding advertisers can see certain information about your device, such as the make and model type, its IP addresses (which can be used to estimate a person’s approximate location), and, in some cases, more precise location data if Granted by the app user, along with other technical factors that help the user determine which ads are displayed.

But as a byproduct of this process, any advertiser who bids — or anyone closely monitoring these auctions — also has access to that trove of so-called “bidstream” data containing device information. Data brokers, who sell to governments, can combine that collected data with other information about those individuals from other sources to paint a detailed picture of someone’s life and whereabouts.

Analysis of location data by security researchers, With Robert of said labReveals thousands of ad-serving apps that have, often unknowingly, shared BidStream data with data brokers.

The data set includes data from popular Android and iPhone apps, including FlightRadar, Grindr, and Tinder — all of which have denied direct business links to Gravy Analytics but admitted to serving ads. But by the nature of the way the advertising industry works, it’s possible for ad-serving apps to collect data from their users both without their explicit knowledge or consent.

as 404 mentioned by mediaIt’s not clear how Gravy Analytics collected its vast amount of location data, such as whether the company collected the data itself or from other data brokers. 404 Media discovered that a large amount of location data is inferred from the device owner’s IP address, geolocated to approximate their real-world location, rather than relying on the device owner to allow the app to access the device’s precise GPS coordinates.

What you can do to prevent ad tracking

per Digital rights group Electronic Frontier FoundationAlmost every website has ad auctions, but there are steps you can take to protect yourself from ad surveillance

Using an ad-blocker — or mobile-level content blocker — can be one effective defense Against ad surveillance by preventing ad code from loading on websites in the user’s browser to begin with.

Android devices and iPhones also build device-level features that make it more difficult for advertisers to track you within apps or across the web and link your pseudonymous device data to your real-world identity. EFF also has one good guide How to check this device settings.

If you have an Apple device, you can go to the “Tracking” option in your settings and Turn off the setting to track app requests. This nullifies your device’s unique identifier, making it indistinguishable from anyone else’s.

“If you disable app tracking, your data is not shared,” Robert told TechCrunch.

Android users should go to the “Privacy” then “Ads” section of their phone’s settings. If the option is available, you can delete your advertising ID to prevent any apps on your phone from accessing your device’s unique identifier in the future. Those without this setting should still reset their Ad ID regularly.

Preventing apps from accessing your precise location when it’s not needed will also help reduce your data footprint.