A data breach of Gravy Analytics can threaten privacy of millions around the world

The data breach at Gravy Analytics, a location data collection company, threatens the privacy of millions of people around the world. The company collected data transmitted through mobile applications. This is reported by TechCrunch.

• The alleged hacker posted screenshots of location data on a closed Russian-language forum dedicated to cybercrime. He claimed to have stolen several terabytes of data from Gravy Analytics.
• The data in Gravy Analytics is collected from the most popular health, dating, transportation, and gaming applications. It shows where people walk, live, work, and travel.
• Several media outlets wrote that Unacast (the parent company of Gravy Analytics) reported the incident to law enforcement in accordance with Norwegian law. In the report, they said they learned of the incident on January 4.
• The hacker gained access to files in its Amazon cloud environment through an "illegally obtained key." Unacast said it learned of the breach through communication with the hacker, but did not provide further details.

Norway-based Unacast merged with Gravy Analytics in 2023 to create one of the largest collections of consumer location data in the world.

How much data was leaked?

As many as 30 million locations may have been compromised. This is stated by Baptiste Robert, CEO of digital security firm Predicta Lab, who obtained a copy of the leaked data.

According to him, the stolen information includes devices from the White House, the Kremlin, the Vatican, and military bases around the world. The expert showed that it is possible to identify military personnel by overlaying location data on the locations of known Russian military facilities. The data can also be used to de-anonymize civilians.

Before the data leak was reported, the US Federal Trade Commission accused Gravy Analytics of collecting data on millions of people at secret locations such as medical clinics and military bases. The company was banned from collecting and selling Americans' data without their consent.

How does Gravy Analytics collect data?

Every iPhone or Android phone owner has an Advertising ID that helps personalize ads based on data collected about the phone owner. This data can end up in the hands of various companies.

It is currently unknown how Gravy Analytics managed to collect such a large amount of location data. Whether they did it themselves or from other data brokers. 404 Media found that a significant portion of the user data is determined based on the device's IP address, which is used to roughly determine the actual location, rather than the precise GPS coordinates that the device owner provides access to.