Huge Data Breach Exposes Locations of Millions of Users From Popular iPhone and Android Apps
Toggle Dark Mode
As we shared yesterday, data broker Gravy Analytics was recently hit by a massive data breach, exposing the personal data of millions of iPhone and Android users. According to TechCrunch, this included not only demographic information but also location data, according to a disclosure earlier this month by Gravy Analytics’ parent company Unacast [PDF]. The company says its Amazon Web Services (AWS) cloud storage environment had been accessed by an unauthorized person using a “misappropriated access key.”
Preliminary findings suggest that the files obtained by the bad actors “could contain personal data” collected from users of third-party services that use Gravy Analytics. As reported by 404Media, hackers claim to have gotten their hands on customer lists and location data from smartphones that shows millions of users’ precise movements. Some of that data has been shared on private forums.
The full scale of the data breach isn’t yet known, but the alleged hacker has already published a large sample of location data from top consumer phone apps — including fitness and health, dating, and transit apps, as well as popular games. The data represents tens of millions of location data points of where people have been, live, work, and travel between.
Zack Whittaker, TechCrunch
While you’ve probably never heard of Gravy Analytics before now, the company claims to track over a billion devices around the globe each day through third-party advertising code that’s long been present in many popular apps and games. Security researchers say a sample of the data collected by the firm shows that the information can be used to track a user’s recent geographical location, with no anonymity. Baptiste Robert, the CEO of digital security firm Predicta Lab, obtained a copy of the leaked dataset, and said the data covers several locations, including military bases, the White House, the Kremlin, the Vatican, and other sensitive locations. It’s unclear how directly the data was tied to individual users, but even when such data is anonymized, it’s often not difficult to associate a tag with a specific person by the aggregate of their locations, as outlined by a 2019 report in The New York Times.
In December, the United States Federal Trade Commission (FTC) took action against Gravy Analytics and its subsidiary Venntel, prohibiting the companies from selling, sharing, or using sensitive location data in any product or service. The commission warned that the two firms exposed consumers to privacy leaks, which could disclose users’ health information and political and religious activities, putting affected users at risk of discrimination, violence and other hazards.
While the FTC order required Gravy Analytics to delete all historic location data and any data products that had been developed using the data that had been collected from consumers, it was unfortunately a case of closing the barn door after the horse got out, as the company’s systems had likely already been breached by that time.
Gravy Analytics sources much of its location data from a real-time bidding process that determines which advertiser gets to show their ad on a device in a milliseconds-short auction. All advertisers that are bidding can see information about your device, including its IP address (which can be used to determine a user’s geographical location) the device’s make and model, and in some cases, more precise location data in situations where the app user has allowed an app access to that data. All of this determines which ad will be displayed on a device.
The breached Gravy Analytics database included location data from several iPhone apps, including Grindr, Tinder, FlightRadar, and others.
iPhone users have the ability to disable app tracking in the Privacy and Security section of the device’s settings, preventing ads from being able to glean a unique device identifier that can be linked location data and other personal information to a specific device. According to Baptiste Robert, CEO of security firm Predicta Lab, iPhone users that had disabled app tracking in their device’s settings did not have their data shared.
It’s always a good idea to disable Location Services for any apps where you don’t specifically need to share your precise location. Even apps that provide local news and weather can get by with a more general location that only identifies your neighborhood or town rather than your specific address, and your iPhone allows you to turn off “Precise Location” for any app.
