Apparent data leak at position data collector Gravy Analytics
Criminals on the darknet claim to have captured data from location data collector Gravy Analytics. Concerns about privacy are spreading.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
One of the largest location data collectors, Gravy Analytics, has apparently fallen victim to a cyber incident. In a darknet forum, criminals claim to have copied data on a large scale. The company's website is currently unavailable and only returns an error message (“503 Service Temporarily Unavailable”).
The Reuters news agency is among those reporting on the data leak. Screenshots appeared online on Sunday, in which Russian-speaking criminals claim to have broken into and stolen large amounts of data. Around 1.4Â GB of data allegedly emerged from this data leak. HudsonRock CTO Alon Gal describes on LinkedIn that he was able to examine a sample data set with 10 million location data from more than 15,000 apps provided by the intruder.
Many popular apps track user locations
A list on pastejustit shows which apps submit their users' location data to Gravy Analytics. 15,396 apps are on it, including popular ones such as Grindr (line 69), Tinder (line 172), Candy Crush Saga (line 221), µTorrent (line 1778), Eurosport (line 10090) or – especially in the USA, in many cases very problematic – apps that deal with pregnancies (26 entries on Pregnancy).
Videos by heise
Alon Gal explains that the exact position of these apps is recorded and over time a position history is created. Each entry therefore includes a unique smartphone ID, GPS coordinates, which app provided the data, a user agent, smartphone type, telecommunications provider and more. The data leaked so far is only a small part of the complete data set. More Gravy Analytics partnerships could also come to light, with a list of more than 1000 Gravy Analytics customers reportedly already published.
According to Socradar, customers include Apple, Equifax, Uber and more. Government contractors have also been affected by the data leak. High-ranking employees of the IT security companies RedSense and Huntress confirmed to Reuters that it is highly likely that the data is genuine.
The Federal Trade Commission (FTC) only took action against Gravy Analytics and its subsidiary Venntel Inc in December 2024 for unlawful tracking and selling sensitive location data of users – including data on customer visits to health-related locations or places of worship. As recently as December, the FTC is said to have reached a settlement with Gravy Analytics and Mobilewalla, which were accused of deceptive practices by collecting location data without proper consent, explains Reuters.
(dmk)
