A huge data breach involving Gravy Analytics has appeared to expose precise location data for millions of users of popular smartphone apps like Candy Crush, Tinder, MyFitnessPal, and more. Here’s what you should know about the unfolding breach.
Gravy Analytics breach impacts users of many top smartphone apps
Gravy Analytics, a location data broker that holds data from millions of iPhone and Android users, has been hacked.
Last week, a hacker claimed to have pulled off the breach, as was first reported by 404Media. But now, data has started being released that confirms the assertion—and shows just how bad it is.
Millions of pieces of precise location data have been released, showing users’ most visited locations such as their home, workplace, and more.
The existence of this data reportedly finds its origins in an app bidding process called real-time bidding, which determines the ads that get shown to users.
Zach Whittaker at TechCrunch explains:
During that near-instant auction, all of the bidding advertisers can see some information about your device, such as the maker and model type, its IP addresses (which can be used to infer a person’s approximate location), and in some cases, more precise location data if granted by the app user, along with other technical factors that help determine which ad a user will be displayed.
But as a byproduct of this process, any advertiser that bids — or anyone closely monitoring these auctions — can also access that trove of so-called “bidstream” data containing device information. Data brokers, including those who sell to governments, can combine that collected information with other data about those individuals from other sources to paint a detailed picture of someone’s life and whereabouts.
Gravy Analytics is one such data broker, and now its data has been breached and has begun leaking publicly online.
Users of many popular ad-serving apps have been impacted.
The list includes dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.
You can find a full list that someone has compiled here.
Good news for iPhone users?
Information on the breach is still emerging, but there’s one early sign of good news for iPhone users in particular.
Baptiste Robert, CEO of digital security firm Predicta Lab, told TechCrunch that if you rejected an app’s request to track you, “your data has not been shared” by that app.
Robert’s referring to the ‘Ask App Not to Track’ permission prompt Apple has built into iOS.
In a post on X, Robert further encourages users to go to Settings ⇾ Privacy & Security ⇾ Tracking and disable apps from even being allowed to ask to track you. You’ll also see on that screen if you’ve ever previously granted tracking permission or not.
There’s been no official statement from Apple to this point, but if Robert is correct, then there should be far fewer iPhone users impacted by the Gravy Analytics breach as a result.
We’ll keep you posted on key developments in the Gravy Analytics breach as more information is revealed.
Best iPhone accessories
FTC: We use income earning auto affiliate links. More.
