A data breach has exposed the precise location information provided by millions of users to popular apps that serve advertisements, including dating apps, games, email clients, and even a period tracking app. A hacker who claimed responsibility for breaching data broker Gravy Analytics managed to collect data that could reveal users’ location information, including their home and workplace. Data collected from iOS and Android smartphones was affected in the breach, but some iPhone owners may have been protected by a feature that was introduced with iOS 14.5.
Gravy Analytics Data Breach Affected Both iOS and Android Users
A recent 404 Media report revealed that a hacker had breached Gravy Analytics, a data broker that collects and monetises location information from applications that are designed for iOS and Android smartphones. It resulted in the exfiltration of customer lists as well as location information from smartphones “which show people’s precise movements”.
The firm’s parent company, Unacast, disclosed to Norwegian authorities (via NRK) that a hacker managed to use a “misappropriated key” to access data via its cloud-based storage. The incident took place on January 4, according to the company’s disclosure. However, the document doesn’t reveal information related to the scale of the data breach.
According to Predicta Lab CEO Baptiste Robert, who accessed a 1.4GB sample of the leaked information, the data includes “tens of millions of location data points”, including military bases, as well as the Kremlin, the White House, and even the Vatican.
Robert also stated that the sample contained a list of 3,455 package names for Android that leaked user data, while pointing out that this was only a subset of the breached data. These reportedly include popular apps like Tinder, Grindr, Candy Crush, MyFitnessPal, Subway Surfers, Tumblr, and even Microsoft 365
App Tracking Transparency May Have Protected iPhone Users
According to Robert, the sample of the data from the breach reveals that the location data is linked to a device’s advertising ID. On an Android smartphone, a user’s location is connected to their Android Advertising ID (AAID), a unique 32-digit identifier that can be reset by users. Meanwhile, iPhone users’ location is tied to the Identifier for Advertisers (IDFA), a unique alphanumeric string that is assigned to a device.
🛰️ The Gravy Analytics breach exposes how easily citizens can be tracked:
– Seen at Space Launch Complex 36
– Work commute mapped
– Stops at Home Depot & family visits near Kansas City logged🔒 A stark reminder of the privacy risks in location data collection. https://t.co/uXGWR6UUGu pic.twitter.com/EiI5TUNmNY
— Baptiste Robert (@fs0c131y) January 9, 2025
This means that iPhone owners who are running on iOS 14.5 or later, which includes App Tracking Transparency (ATT), were protected if they selected the Ask App Not to Track option. When a user selects this option, iOS returns an empty value instead of their IDFA. Apple also allows users to block all requests to track users by default.
The expert says iPhone owners can navigate to Settings > Privacy & Security > Tracking and disable the Allow Apps to Request To Track toggle, while Android users can head to Settings > Privacy > Ads and tap on Delete advertising ID.
