Data broker Gravy Analytics disclosed a massive data breach earlier this month [PDF], which exposed the precise location data of millions of iPhone and Android users. Gravy Analytics’ parent company Unacast says its AWS cloud storage environment had been accessed by an unauthorized person, reports TechCrunch.
The full scale of the data breach isn’t yet known, but the alleged hacker has already published a large sample of location data from top consumer phone apps — including fitness and health, dating, and transit apps, as well as popular games. The data represents tens of millions of location data points of where people have been, live, work, and travel between.
404Media reports that hackers claim to have harvested customer lists and location data showing millions of device users’ precise movements. Some of the data has been shared on private forums.
Baptiste Robert, the CEO of digital security firm Predicta Lab, obtained a copy of the leaked data, and say the stolen data include informations about several sensitive locations, including the White House, the Kremlin, the Vatican, military bases, and other spots around the globe.
The United States Federal Trade Commission (FTC) in December prohibited Gravy Analytics and its subsidiary Venntel from selling or sharing the location data in any app or service. The commission the companies exposed consumers to privacy breaches, which could expose a users’ information, including health information, their political and/or religious activities, putting users at risk of discrimination, violence and other dangers.
The FTC order did require Gravy Analytics to delete the location data, as well as any products developed with the data that was collected from users, but the company’s databases had likely already been breached by then.
Gravy Analytics sources much of its location data from a process called real-time bidding, which determines during a milliseconds-short auction which advertiser gets to show their ad on your device.
During the auctions, all of the ad bidders can see information about a user’s device, including the make and model, its IP addresses (which can expose a person’s approximate location), and, more precise location data if the app user has granted access, along with other technical factors that help determine which ad a user will see.
The exposed Gravy Analytics database included location data from several iPhone apps, including Grindr, Tinder, and other mobile apps.
If you’d like to protect yourself against data breaches like this, disable app tracking on your iPhone. You can do so by going into the settings app, and disabling app tracking.
