The data breach has revealed precise location information provided by millions of users to popular apps that provide ads, including dating apps, games, email clients, and even period tracking apps. A hacker who claims to be violating the responsibility of data broker Gravy Analytics has managed to collect data that can reveal user location information, including their homes and workplaces. Data collected from iOS and Android smartphones have been affected by the vulnerability, but some iPhone owners may be protected by features introduced in iOS 14.5.
Gravy Analytics data breach affects iOS and Android users
Recent 404 media reports show that hackers violated Gravy Analytics, a data broker that collected and redeemed location information from apps designed for iOS and Android smartphones. This led to penetration of customer lists and location information of smartphones, “showing people’s precise movements.”
The company’s parent company, Unacast, revealed to Norwegian authorities (via NRK) that hackers have managed to use “stolen keys” to access data through its cloud-based storage. According to the company’s disclosure, the incident occurred on January 4. However, the document does not reveal information about the scale of the data breach.
According to Preventa Lab CEO Baptiste Robert, a sample of leaked information was accessed, with data including “ten millions of location data points,” including military bases, and the Kremlin. The White House, and even the Vatican.
Robert also noted that the sample contains a list of 3,455 package names for Android that leaked user data while noting that this is just a subset of the data being violated. These applications are reportedly Tinder, Grindr, Candy Crush, MyFitnessPal, Subway Surfer, Tumblr, and even Microsoft 365
App Tracking Transparency May Protect iPhone Users
Robert said that examples of violation data show that location data is linked to the device’s ad ID. On an Android smartphone, the user’s location is connected to its Android Advertising ID (AAID), a unique 32-digit numerical identifier that can be reset by the user. Meanwhile, the iPhone user’s location is associated with the advertiser’s identifier (IDFA), a unique alphanumeric string assigned to the device.
Graspse leak reveals how easy it is to track citizens:
– See 36 in the space launch complex
– Work Mapping
– Login at home warehouses and home access near Kansas CityOpen the privacy risks in location data collection. https://t.co/uxgwr6uugu pic.twitter.com/eii5tunmny
– Baptiste Robert (@fs0c131y) January 9, 2025
This means that iPhone owners running on iOS 14.5 or later (including App Tracking Transparency (ATT) if they choose Transparency (ATT) Ask the application not to track Options. When the user selects this option, iOS will return a null value instead of its IDFA. Apple also allows users to block all requests by default to track users.
Experts say iPhone owners can navigate to settings > Privacy and Security > track And disable Allow application to require tracking Switch, and Android users can go settings > privacy > advertise And click Delete the ad ID.
