A knowledge breach has uncovered the exact location info supplied by hundreds of thousands of customers to in style apps that serve ads, together with courting apps, video games, electronic mail shoppers, and even a interval monitoring app. A hacker who claimed accountability for breaching knowledge dealer Gravy Analytics managed to gather knowledge that would reveal customers’ location info, together with their house and office. Data collected from iOS and Android smartphones was affected within the breach, however some iPhone house owners might have been protected by a characteristic that was launched with iOS 14.5.
Gravy Analytics Data Breach Affected Both iOS and Android Users
A current 404 Media report revealed {that a} hacker had breached Gravy Analytics, an information dealer that collects and monetises location info from purposes which can be designed for iOS and Android smartphones. It resulted within the exfiltration of buyer lists in addition to location info from smartphones “which show people’s precise movements”.
The agency’s mum or dad firm, Unacast, disclosed to Norwegian authorities (by way of NRK) {that a} hacker managed to make use of a “misappropriated key” to entry knowledge by way of its cloud-based storage. The incident befell on January 4, in keeping with the corporate’s disclosure. However, the doc would not reveal info associated to the size of the information breach.
According to Predicta Lab CEO Baptiste Robert, who accessed a 1.4GB pattern of the leaked info, the information contains “tens of millions of location data points”, together with navy bases, in addition to the Kremlin, the White House, and even the Vatican.
Robert additionally acknowledged that the pattern contained an inventory of three,455 package deal names for Android that leaked consumer knowledge, whereas stating that this was solely a subset of the breached knowledge. These reportedly embrace in style apps like Tinder, Grindr, Candy Crush, MyFitnessPal, Subway Surfers, Tumblr, and even Microsoft 365
App Tracking Transparency May Have Protected iPhone Users
According to Robert, the pattern of the information from the breach reveals that the situation knowledge is linked to a tool’s promoting ID. On an Android smartphone, a consumer’s location is related to their Android Advertising ID (AAID), a singular 32-digit identifier that may be reset by customers. Meanwhile, iPhone customers’ location is tied to the Identifier for Advertisers (IDFA), a singular alphanumeric string that’s assigned to a tool.
🛰️ The Gravy Analytics breach exposes how simply residents will be tracked:
– Seen at Space Launch Complex 36
– Work commute mapped
– Stops at Home Depot & household visits close to Kansas City logged🔒 A stark reminder of the privateness dangers in location knowledge assortment. https://t.co/uXGWR6UUGu pic.twitter.com/EiI5TUNmNY
— Baptiste Robert (@fs0c131y) January 9, 2025
This implies that iPhone house owners who’re working on iOS 14.5 or later, which incorporates App Tracking Transparency (ATT), had been protected if they chose the Ask App Not to Track possibility. When a consumer selects this feature, iOS returns an empty worth as a substitute of their IDFA. Apple additionally permits customers to dam all requests to trace customers by default.
The skilled says iPhone house owners can navigate to Settings > Privacy & Security > Tracking and disable the Allow Apps to Request To Track toggle, whereas Android customers can head to Settings > Privacy > Ads and faucet on Delete promoting ID.
