A hack and data breach at location data broker Gravy Analytics threatened the privacy of millions of people around the world, whose smartphone apps inadvertently exposed their location data collected by the data giant.
The full scale of the data breach is not yet known, but the alleged hacker has already released a large sample of location data from top consumer phone apps — including fitness and health, dating and transit apps, as well as popular games. The data represents millions of location data points where people have been, live, work and travel between.
News of the breach emerged last week after a hacker posted screenshots of location data on a Russian-language cybercrime forum, claiming they had stolen several terabytes of customer data from Gravy Analytics. Independent news outlet 404 media First reported a forum post alleging an apparent breach, which claimed to include the historical location data of millions of smartphones.
Norwegian broadcaster NRK reported on January 11 that Gravy Analytics’ parent company Uncast, Breach declared With the country’s data protection authorities as required under its laws.
In 2004, Uncast, founded in Norway, merged with Gravy Analytics. In 2023 To create what was called one of the “largest” collections of customer location data at the time. Gravy Analytics claims to track over a billion devices worldwide every day.
in Notification of its data breach In the filing in Norway, Unacast said it identified on January 4 that a hacker had obtained files from its Amazon cloud environment via a “misappropriated key”. Uncast said it was informed of the breach through a conversation with the hacker, but the company did not provide further details. The company said its operations were taken offline shortly after the breach.
Unacast said in the notice that it had also notified the UK Data Protection Authority of the breach. A spokesperson for the UK’s Information Commissioner’s Office did not immediately comment when reached by TechCrunch on Monday.
Unacast executives Jeff White and Thomas Wall did not return multiple emails requesting comment from TechCrunch this week. In an unverified statement from a generic Gravy Analytics email account Sent to TechCrunch On Sunday, Unacast acknowledged the breach, saying its “investigation is ongoing.”
The Gravy Analytics website was still down at the time of writing. Several other domains associated with Gravy Analytics were also found to be non-functional, according to a check by TechCrunch over the past week.
30 million location data points have been leaked so far
Data privacy advocates have long warned about the risks data brokers pose to individuals’ privacy and national security. Researchers with access to a sample of Gravy Analytics location data posted by the hacker say the information could be used to broadly track people’s recent whereabouts.
Baptiste Robert, CEO of digital security firm Predicta Lab, which obtained a copy of the leaked dataset, said in one. Thread on X That data set contains more than 30 million location data points. These include devices located at the White House in Washington, DC; the Kremlin in Moscow; Vatican City; and military bases around the world. One of the maps shared by Robert Location data of Tinder users shown Throughout the United Kingdom. in Another postRobert demonstrated that it was possible to identify individuals serving as military personnel by overlapping stolen location data with the locations of known Russian military facilities.
Robert cautioned that the data also allows for easy anonymization of ordinary individuals; In one example, the data tracked a person as they traveled from New York to their home in Tennessee. Forbes informed about the risks That dataset is for LGBTQ+ users, whose location data obtained from certain apps can identify them in countries that criminalize homosexuality.
News of the breach comes weeks later Ban on the Federal Trade Commission Gravy Analytics and its subsidiary Ventel, which provides location data to government agencies and law enforcement, from collecting and selling Americans’ location data without consumers’ consent. The FTC has accused the company of illegally tracking millions of people in sensitive locations like healthcare clinics and military bases.
Location data tapped from advertising networks
Gravy Analytics is the source of much of its location data A process known as real-time biddingA staple of the online advertising industry that determines which advertiser will have their ad delivered to your device during a millisecond-short auction.
During that close instant auction, all bidding advertisers can see some information about your device, such as the manufacturer and model type, its IP address (which can be used to infer a person’s approximate location), and in some cases, more precise location data. If the application is provided by the user, along with other technical factors that help determine which advertisement will be displayed to the user.
But as a byproduct of this process, any advertiser that bids — or anyone closely monitoring these auctions — can also access so-called “bidstream” data containing device information. Data brokers, including those that sell to governments, can combine the information they collect with other data about those individuals from other sources to paint a detailed picture of someone’s life and whereabouts.
Analysis of location data by security researchers, Including Robert from the labReveals thousands of ad-serving apps that have shared BidStream data, often unwittingly, with data brokers.
The data set includes data from popular Android and iPhone apps including FlightRadar, Grindr and Tinder — all of which have denied any direct business links to Gravy Analytics but have agreed to display ads. But by the nature of how the advertising industry works, it’s possible for ad-serving apps to collect their users’ data both when they don’t explicitly know about it or don’t consent to it.
as Reported by 404 mediaIt’s unclear how Gravy Analytics obtained its vast amount of location data, whether the company collected the data itself or from other data brokers. 404 Media found that much of the location data was inferred from the device owner’s IP address, which geolocates to infer their real-world location, allowing access to the device’s exact GPS coordinates rather than relying on the device owner.
What you can do to prevent ad surveillance
Per Digital rights group Electronic Frontier FoundationAd auctions happen on almost every website, but there are steps you can take to protect yourself from ad surveillance.
Using an ad-blocker — or a mobile-level content blocker — can be Effective protection Against ad surveillance by blocking ad code on websites from loading in the user’s browser to begin with.
Android devices and iPhones also have device-level features that make it more difficult for advertisers to track you between apps or across the web by combining your pseudonymous device data with your real-world identity. links. EFF also has a Good guide How to check this device settings.
If you have an Apple device, you can go to the “Tracking” options in your settings and Turn off the setting to track app requests. This zeroes out your device’s unique identifier, making it indistinguishable from anyone else’s.
“If you disable app tracking, your data is not shared,” Robert told TechCrunch.
Android users should go to “Privacy” then “Ads” section of their phone settings. If the option is available, you can delete your advertising ID to prevent any apps on your phone from accessing your device’s unique identifier in the future. People without this setting should still reset their Advertising ID regularly.
Preventing apps from accessing your specific location when not necessary will also help reduce your data footprint.
https://techcrunch.com/wp-content/uploads/2022/07/thetruth-spy-stalkerware-leaked-location.jpg?resize=1200,675
