A significant data breach has revealed location information from millions of users of popular applications, including dating services, games, email clients, and a menstrual tracking app. A hacker associated with the breach of Gravy Analytics was able to obtain sensitive data that may disclose users’ home and workplace locations. Both iOS and Android devices were impacted, although some iPhone users might have been shielded by recent privacy features introduced in iOS 14.5.
Recent Breach of Gravy Analytics Affects Users Across Platforms
A report published by 404 Media has outlined a breach involving Gravy Analytics, a data broker with a focus on monetizing user location information obtained from various applications compatible with iOS and Android smartphones. The breach led to the unauthorized extraction of customer lists and location data revealing precise movements of users.
The breach was reported to Norwegian authorities by Unacast, the parent company of Gravy Analytics, which revealed that the hacker exploited a “misappropriated key” to access data stored in the firm’s cloud infrastructure. This incident occurred on January 4, although details regarding the extent of the data compromised were not disclosed in the report.
Baptiste Robert, CEO of Predicta Lab, who accessed a 1.4GB sample of the leaked data, indicated that it contained “tens of millions of location data points.” This data encompasses notable locations such as military installations, the Kremlin, the White House, and the Vatican.
Robert further highlighted that the sample included names of 3,455 Android applications linked to the exposed user data. Among these are widely used apps such as Tinder, Grindr, Candy Crush, MyFitnessPal, Subway Surfers, Tumblr, and Microsoft 365.
App Tracking Transparency Could Have Shielded iPhone Users
The analysis of the breached data suggests it is linked to devices via their advertising IDs. On Android devices, a user’s location data is associated with their Android Advertising ID (AAID), which can be reset by users. In contrast, the location information for iPhone users is connected to the Identifier for Advertisers (IDFA), a unique alphanumeric identifier assigned to each device.
🛰️ The Gravy Analytics breach exposes how easily citizens can be tracked:
– Seen at Space Launch Complex 36
– Work commute mapped
– Stops at Home Depot & family visits near Kansas City logged🔒 A stark reminder of the privacy risks in location data collection. https://t.co/uXGWR6UUGu pic.twitter.com/EiI5TUNmNY
— Baptiste Robert (@fs0c131y) January 9, 2025
If iPhone users running on iOS 14.5 or newer opted for the Ask App Not to Track feature, they may have been safeguarded from exposure. Choosing this option causes iOS to return an empty value in place of the IDFA. Moreover, Apple allows users to disable all tracking requests by default.
According to experts, iPhone users can adjust their settings by navigating to Settings > Privacy & Security > Tracking to turn off the Allow Apps to Request To Track function. Android users can follow a similar path through Settings > Privacy > Ads and select Delete advertising ID.
