Last week, our colleagues at 404 Media revealed that Gravy Analytics, a company specializing in the resale of location-based data, had been the victim of a cyberattack. Cybercriminals managed to get hold of a database belonging to the American group, including location data collected via smartphones. This data reveals where users live, work and travel. This information is obviously anonymized and initially intended for advertisers.
A cyberattack confirmed
A few days later, Gravy Analytics confirmed the theft of the data collected by it in a press release. Unacast, the parent company of Gravy Analytics, has in fact reported the leak to the Norwegian authorities. Founded in Norway in 2004, Unacast merged with Gravy Analytics in 2023, making the data breach the responsibility of Norwegian regulators.
In the breach notice, spotted by TechCrunch, Unacast said it discovered the attack sometime during the day on January 4, 2025. According to the company’s investigation, “unauthorized access” was recorded on cloud storage offered by Amazon. The access was made possible by the use of a “misappropriated access key.”It’s unclear how the hackers obtained the access key that triggered the cyberattack.
Unacast said the incident was only detected when the hackers contacted Gravy Analytics. The Norwegian company is “currently investigating whether any personal data was affected.” Depending on the results of the investigation, the group will notify all affected individuals, in accordance with the law. It added that it has contacted the relevant British authorities.
Which apps compromised your location data?
To prove their claims, the hackers posted a sample of 30 million identifiers, out of a staggering seven billion total, on a Russian-language forum. Each identifier represents a smartphone on the map. By digging through the samples provided by the cybercriminals, researchers have compiled a non-exhaustive list of the applications affected by the leak. It is likely through these applications that Gravy Analytics was able to collect a mountain of location data.
Expert Baptiste Robert, who studied the files in depth, drew up a list of the applications involved on Github. According to the investigations carried out by the French researcher, the company relied on more than 3,000 applications to achieve its ends and track billions of smartphones. Among the apps cited are dating apps like Tinder and Grindr, games like Call of Duty or Candy Crush, social networks like Tumblr, or fitness apps, such as MyFitnessPal. We also find Yahoo Mail and MooveIt. Pregnancy tracking applications are also pinned by the researcher, including My Period Calendar & Tracker.
Invisible data collection
Several of the applications listed have firmly denied any collusion with Gravy Analytics, despite the files found in the compromised data samples. This is the case for Tinder. Contacted by our colleagues at Wired, the dating application denies "any relationship with Gravy Analytics" and indicates that it has "no proof that this data was obtained from the Tinder application". The same goes for Grindr, which claims to have "never worked with or provided data to Gravy Analytics":
This isn’t really a surprise. It turns out that much of the data collection is happening through the ad ecosystem, not through app makers’ code. Ultimately, the location data vacuuming often happens without users or even app developers being aware of it. As researcher Zach Edwards tells Wired, this is “the first time” that we have “public evidence that one of the largest data brokers, which sells to commercial and government clients, is getting its information from the ‘auction stream’ of online advertising, rather than through code embedded directly in apps.”
When a user visits a site or uses an app, their information (like their location) is shared with advertisers to determine which ads to prioritize. This data sharing, which is usually invisible to users, can be exploited by third parties such as data brokers like Gravy Analytics.
Source: TechCrunch
0 Comments