A significant data breach involving Gravy Analytics has reportedly exposed detailed location data concerning millions of users of popular mobile applications like Candy Crush, Tinder, MyFitnessPal, and others. Here’s what you need to know about the ongoing breach.
Gravy Analytics breach affects many major smartphone app users
Gravy Analytics, a location data broker that collects information from millions of iPhone and Android users, has experienced a hacking incident.
Last week, a hacker asserted they executed the breach, which was initially reported by 404Media. Subsequently, data has begun to surface that supports this claim—and illustrates the severity of the situation.
Millions of instances of precise location data have been made public, revealing users’ frequented locations, including their homes, workplaces, and more.
This data is believed to stem from a real-time bidding process used by apps to determine which advertisements are displayed to users.
Zach Whittaker from TechCrunch clarifies:
During this nearly instantaneous auction, advertisers can access some data about your device, including the maker and model, IP addresses (which can help approximate a user’s location), and occasionally, more accurate location data if shared by the app user. Additionally, various technical factors assist in deciding which advertisement to show.
However, as a side effect of this process, any advertiser participating in these auctions — or those closely observing them — can also obtain access to the “bidstream” data containing device details. Data brokers, including those providing information to governments, can merge these details with additional data from various sources to create a comprehensive profile of an individual’s life and location.
Gravy Analytics is one such data broker, and now its data has been compromised and is beginning to leak online.
Users of multiple well-known apps have been affected.
Joseph Cox from WIRED notes:
This list includes dating apps Tinder and Grindr; major games like Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a menstrual tracking app with over 10 million downloads; the fitness application MyFitnessPal; the social networking site Tumblr; Yahoo’s email service; Microsoft’s 365 office application; and flight tracking service Flightradar24. The list also highlights several faith-based applications, including Muslim prayer and Christian Bible apps, various pregnancy tracking tools, and multiple VPN applications, which some may ironically have downloaded to enhance their privacy.
A complete list compiled by someone is available here.
Positive news for iPhone users?
Details regarding the breach are still emerging, but there is an initial sign of good news specifically for iPhone users.
Baptiste Robert, CEO of the digital security company Predicta Lab, informed TechCrunch that if you denied an app’s request to track your activity, “your data has not been shared.”
Robert is alluding to the ‘Ask App Not to Track’ feature that Apple has incorporated into iOS.
In a post on X, Robert further suggests users navigate to Settings ⇾ Privacy & Security ⇾ Tracking to prevent apps from asking for tracking permission. This section will also display if you’ve ever granted such permission in the past.
Apple has yet to release an official statement regarding the breach, but if Robert’s assertion is accurate, significantly fewer iPhone users may be affected due to this measure.
We will keep you informed on important updates about the Gravy Analytics breach as further information becomes available.
Top iPhone Accessories
FTC: We utilize income-generating auto affiliate links. More.
