Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A hack and data breach at location data broker Gravy Analytics threatens the privacy of millions of people around the world whose smartphone apps unwittingly reveal location data collected by the data giant.
The full extent of the data breach is not yet known, but the alleged hacker has already released a large sample of location data from top consumer phone apps — including fitness and health, dating and transit apps, as well as popular games. The data represents tens of millions of data points where people are, live, work and travel between each other.
News of the breach broke last weekend after a hacker posted screenshots of location data on a closed-access Russian-language cybercrime forum, claiming to have stolen several terabytes of consumer data from Gravy Analytics. Independent news agency 404 Media first reported the forum post about the apparent breach that allegedly contained the historical location data of millions of smartphones.
Norwegian broadcaster NRK said on January 11 that Gravy Analytics’ parent company, Unacast, announced the violation with the country’s data protection authorities in accordance with its laws.
In 2004, Unacast merged with Gravy Analytics, founded in Norway In 2023 Creating what it touted at the time as one of the “largest” collections of consumer location data. Gravy Analytics claims to monitor more than one billion devices worldwide every day.
In its data breach notification Unacast, which applied to Norway, revealed on January 4 that a hacker had obtained files from Amazon’s cloud environment using a “spoofed key”. Unacast said it was notified of the breach through a hacker contact, but the company did not provide further details. The company said its operations were briefly taken offline after the breach.
Unacast said in a statement that it has also informed UK data protection authorities about the breach. A spokesperson for the U.K.’s Information Commissioner had no immediate comment Monday when reached by TechCrunch.
Unacast executives Jeff White and Thomas Walle did not return multiple emails seeking comment from TechCrunch this week. In an unattributed statement from a generic Gravy Analytics email account Submitted to TechCrunch On Sunday, Unacast acknowledged the breach, saying “an investigation is ongoing.”
Gravy Analytics’ website was still down at the time of writing. According to checks by TechCrunch last week, several other domains associated with Gravy Analytics also appeared to be non-functional.
So far, 30 million location data points have been leaked
Data privacy advocates have long warned about the risks that data brokers pose to individual privacy and national security. Researchers with access to a sample of Gravy Analytics’ location data posted by the hacker say the data could be used to broadly track people’s recent locations.
Baptiste Robert, CEO of digital security firm Predicta Lab, which obtained a copy of the leaked data set, said in a statement. ip in x the dataset contains more than 30 million location data points. These include devices located at the White House in Washington; Kremlin in Moscow; The Vatican; and military bases around the world. One of the maps shared by Robert It showed location information of Tinder users Throughout the UK. In another postBy matching the stolen location data with the locations of known Russian military facilities, Robert showed that it was possible to identify individuals serving as military personnel.
Robert cautioned that the data also allows ordinary individuals to be easily de-anonymized; in one example, data followed a man from New York to his home in Tennessee. Forbes informed about the dangers While this dataset is for LGBTQ+ users, their location data from certain apps may identify them in countries that criminalize homosexuality.
News of the breach comes weeks later The Federal Trade Commission banned it Gravy Analytics and its subsidiary Venntel provide location data to government agencies and law enforcement agencies, preventing them from collecting and selling Americans’ location data without consumer consent. The FTC has accused the company of illegally tracking millions of people to sensitive locations like health clinics and military bases.
Location data from advertising networks
This is where Gravy Analytics gets most of its location data a process called real-time biddingis a staple of the online advertising industry that determines which advertiser will deliver their ad to your device during a millisecond short auction.
All advertisers who bid during the instant auction can see some information about your device, such as the manufacturer and model type, its IP address (which can be used to determine a person’s approximate location), and in some cases more. accurate location information, if provided by the application user, among other technical factors that help determine which ad to display to the user.
But as a byproduct of this process, any advertiser who bids, or anyone else watching these auctions closely, can access the so-called bidstream, which contains device data. Data brokers, including those selling to governments, can combine collected data with other information about those individuals from other sources to create a detailed picture of someone’s life and whereabouts.
Location data analysis by security researchers, including Robert of said laboratorydiscovers thousands of ad-serving apps that often unwittingly share bid stream data with data brokers.
The data set contains data from popular Android and iPhone apps including FlightRadar, Grindr and Tinder — all of which have denied direct business links to Gravy Analytics, but have acknowledged serving ads. But because of how the advertising industry works, it’s possible for ad-serving apps to collect data from their users, both without their knowledge or consent.
as 404 Media notedIt’s not clear how Gravy Analytics got its massive location data, as well as whether the company collected the data from itself or from other data brokers. 404 Media found that a large amount of location data was derived from the device owner’s geolocated IP address to estimate their real-world location, rather than relying on the device owner allowing the app to access the device’s exact GPS coordinates.
What you can do to prevent ad tracking
Per digital rights group Electronic Frontier FoundationAd auctions are on almost every website, but there are steps you can take to protect yourself from ad tracking.
Using an ad blocker or a mobile-level content blocker can be one effective defense To begin with, it opposes ad tracking by blocking the loading of ad code on websites in the user’s browser.
Android devices and iPhones also run device-level features that make it harder for advertisers to track you across apps or across the web, and link your pseudonymized device data to your real-world identity. There is also the EFF good guide on how to check these device settings.
If you have an Apple device, you can go to your Settings and the “Tracking” options disable settings for tracking application requests. This resets your device’s unique identifier and makes it indistinguishable from others.
“If you turn off app tracking, your data is not shared,” Robert told TechCrunch.
Android users should go to “Privacy” and then “Ads” in their phone’s settings. If the option is available, you can delete your ad ID to prevent any apps on your phone from accessing your device’s unique identifier in the future. Those without this setting should still reset their ad ID regularly.
Preventing apps from accessing your exact location unless requested will also help reduce your data footprint.
