A major data breach at Gravy Analytics has exposed a vast network of location tracking affecting millions of users across thousands of popular mobile apps, including Candy Crush, Tinder, and MyFitnessPal.
Hackers who breached the location data broker have threatened to publicly release sensitive information, including customer lists and historical location data collected from smartphones. The breach has raised serious privacy concerns about widespread location tracking happening without users' knowledge.
According to investigations by Wired magazine, the affected apps span both Android and iOS platforms. Beyond gaming and dating apps, the list includes mainstream applications like Microsoft Outlook and specialized tools like period tracking apps.
The data collection appears to have occurred through real-time advertising bidding systems, where advertisers can access device information and IP addresses. Many app publishers may have been unaware that their users' location data was being gathered and sold.
"This is the nightmare scenario privacy advocates have feared," said Zach Edwards, senior threat analyst at Silent Push. He warned that the breach could enable dangerous de-anonymization of individuals and tracking of vulnerable populations.
The exposed data could reveal sensitive personal information, including visits to medical facilities or details about sexual orientation. While some location data came from IP addresses, apps with precise location permissions may have had that detailed data compromised.
Several companies named in the breach, including Tinder and Grindr, have denied any direct relationship with Gravy Analytics and stated they have no evidence of data collection through their apps.
The breach has highlighted concerns about Gravy Analytics' business practices, including its subsidiary Venntel's previous sales of location data to U.S. government agencies for immigration operations.
This incident marks what experts call the first major breach of a bulk location data provider, raising alarms about potential future attacks and the broader implications for user privacy in the mobile app ecosystem.