A major data breach at location analytics firm Gravy Analytics has exposed sensitive location data from millions of iPhone and Android users, raising serious privacy concerns.
The company's parent organization Unacast confirmed that an unauthorized party accessed their AWS cloud storage using a stolen access key. Hackers claim to have obtained detailed customer lists and precise location tracking data, with some of this sensitive information already appearing on private forums.
The breach impacts users of popular apps like FlightRadar, Grindr, and Tinder. While these apps don't directly share data with Gravy Analytics, the company collected location information through their advertising systems.
Security researchers examining sample data confirmed the leaked information can reveal individuals' recent location history without any anonymization. Gravy Analytics typically tracks over a billion devices globally each day through real-time ad bidding processes that expose user IP addresses and precise location data.
This breach comes shortly after the U.S. Federal Trade Commission (FTC) took action against Gravy Analytics in December, prohibiting the company from selling or using sensitive location data due to privacy risks. The FTC cited concerns about potential exposure of health information, political activity, and religious practices that could lead to discrimination or harm.
iPhone users who disabled app tracking features in their Privacy and Security settings were protected from having their data collected. Experts recommend turning off precise location access and app tracking to enhance privacy protection.
The incident highlights ongoing concerns about data brokers' collection and security practices regarding sensitive personal information. While Gravy Analytics was ordered to delete historic location data, the breach had likely already occurred when the FTC's order was issued.