Imagine walking into your favorite local restaurant, and someone already knows you’re there. Thanks to a massive data breach at a U.S.-based location data broker, this stunning reality is now possible—and your location just became a bullseye.
In this attack, the hackers allegedly exploited software development kits (SDKs) embedded in popular mobile apps that secretly sent users’ precise location data to Gravy Analytics. By targeting the company’s massive data storage, they stole over 10 terabytes of sensitive information, including GPS coordinates and user movements.
Vulnerabilities in the SDKs enabled this data collection without users’ consent. The hackers then leaked a sample on a Russian cybercriminal forum, exposing intimate details of users’ lives and revealing the hidden dangers of third-party data harvesting.
It appears the apps weren’t hacked directly but likely played a key role in data collection:
- Embedded SDKs: Popular apps like Tinder and Spotify allegedly used SDKs from Gravy Analytics to collect users’ location data.
- Data collection & transmission: These SDKs reportedly gathered GPS coordinates and sent them to Gravy Analytics’ servers without users’ knowledge.
- Hackers’ pounced: Hackers supposedly targeted Gravy Analytics’ centralized storage, stealing over 10 terabytes of sensitive location data, exposing users’ movements and visits to sensitive places.
This breach exposes the dark side of the $21 billion location data industry, where your movements are routinely harvested, sold, and, as we now see, stolen. The leaked data could fuel fraud, extortion, and stalking. For example, if hackers know you recently visited your bank or hospital, they could launch personalized phishing attacks.
Early estimates suggest millions of users worldwide are affected, including 20 million in the UK alone. One of the impacted apps claims no direct relationship with the compromised analytics firm, while another denies any connection, raising questions about how data moves behind the scenes. This breach highlights just how pervasive location data collection practices are and how little control users have over their digital footprints.
What’s surprising is how mobile apps facilitate data collection—often without users realizing it. By integrating third-party SDKs, app developers can unintentionally enable continuous tracking, transmitting precise location data to external companies. Users grant location access for app functionality, but few are aware of the extensive data sharing occurring behind the scenes.
This breach makes one thing clear: your location data isn’t just a digital beacon—it’s a bullseye.
Commentary
Hacked and Tracked: How Attackers Are Cashing In
Table of Contents
Imagine walking into your favorite local restaurant, and someone already knows you’re there. Thanks to a massive data breach at a U.S.-based location data broker, this stunning reality is now possible—and your location just became a bullseye.
In this attack, the hackers allegedly exploited software development kits (SDKs) embedded in popular mobile apps that secretly sent users’ precise location data to Gravy Analytics. By targeting the company’s massive data storage, they stole over 10 terabytes of sensitive information, including GPS coordinates and user movements.
Vulnerabilities in the SDKs enabled this data collection without users’ consent. The hackers then leaked a sample on a Russian cybercriminal forum, exposing intimate details of users’ lives and revealing the hidden dangers of third-party data harvesting.
It appears the apps weren’t hacked directly but likely played a key role in data collection:
This breach exposes the dark side of the $21 billion location data industry, where your movements are routinely harvested, sold, and, as we now see, stolen. The leaked data could fuel fraud, extortion, and stalking. For example, if hackers know you recently visited your bank or hospital, they could launch personalized phishing attacks.
Early estimates suggest millions of users worldwide are affected, including 20 million in the UK alone. One of the impacted apps claims no direct relationship with the compromised analytics firm, while another denies any connection, raising questions about how data moves behind the scenes. This breach highlights just how pervasive location data collection practices are and how little control users have over their digital footprints.
What’s surprising is how mobile apps facilitate data collection—often without users realizing it. By integrating third-party SDKs, app developers can unintentionally enable continuous tracking, transmitting precise location data to external companies. Users grant location access for app functionality, but few are aware of the extensive data sharing occurring behind the scenes.
This breach makes one thing clear: your location data isn’t just a digital beacon—it’s a bullseye.
Protect your digital world
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats