Data broker Gravy Analytics has been hacked, and location information from millions of iPhone and Android users is at risk, reports TechCrunch. Gravy Analytics' parent company Unacast disclosed the data breach earlier this month [PDF], and said that its AWS cloud storage environment had been accessed by an unauthorized person using a "misappropriated access key."
"Some files" were obtained, and preliminary findings suggest those files "could contain personal data" collected from users of third-party services that use Gravy Analytics. According to 404Media, hackers are claiming to have customer lists and location data from smartphones that shows peoples' precise movements, with millions of users affected. Some of that data, which does indeed include the historical location of smartphones, has been published on private forums.
Gravy Analytics says that it tracks more than a billion devices around the world daily, and security researchers that saw a sample of the data collected by Gravy Analytics confirmed that the information can be used to track a person's recent locations, with no anonymization.
In December, the United States Federal Trade Commission (FTC) prohibited Gravy Analytics and its subsidiary Venntel from selling, disclosing, or using sensitive location data in any product or service. The FTC warned that the two companies exposed consumers to privacy harms that could include disclosure of health information, political activity, and religious practices, and put people at risk of stigma, discrimination, violence and other harms.
The order required Gravy Analytics to delete all historic location data and any data products developed using data collected from consumers, but it was apparently too late because the company's systems had likely already been breached at the time.
Gravy Analytics collects location data through a real-time ad bidding process that allows companies competing to buy an ad to see customer IP address and more precise location data if enabled. Gravy Analytics' database had location data from iPhone apps that include FlightRadar, Grindr, and Tinder, and while the apps did not have a direct relationship with the data broker, user location information was collected through their ads.
Turning off app tracking in the Privacy and Security section of the iPhone's Settings app keeps ads from being able to obtain a unique device identifier to link location data to a specific device, and preventing apps from using precise location data is also a way to preserve more privacy.
Baptiste Robert, CEO of security firm Predicta Lab, told TechCrunch that iPhone users that had app tracking disabled did not have their data shared.
