A data breach at location data broker Gravy Analytics has exposed tens of millions of location data points collected from smartphone users around the world, sparking serious privacy and security concerns.
According to reports, the breach revealed sensitive location data from popular apps like Tinder, Grindr, Candy Crush, MyFitnessPal, and religious-focused apps, among others.
The leaked dataset, posted by a hacker on a Russian-language cybercrime forum, also included coordinates from significant locations, such as the White House, the Kremlin, Vatican City, and military bases worldwide.
Gravy Analytics, a major player in the location data industry, confirmed the breach occurred on January 4, due to a compromised key in its Amazon cloud environment.
According to Norwegian broadcaster NRK, Unacast, Gravy’s parent company, notified data protection authorities in Norway and the U.K. as required by law. Gravy’s systems were temporarily taken offline following the incident, and its investigation remains ongoing.
The U.S. Federal Trade Commission (FTC) has previously sanctioned Gravy Analytics and its subsidiary, Venntel, for unlawfully collecting and selling location data without user consent.
The FTC ordered the company to delete historical data and banned it from selling data related to sensitive areas, except under specific circumstances involving national security or law enforcement.
In light of the breach, digital rights organizations, including the Electronic Frontier Foundation, have emphasized the need for stronger privacy protections. Experts recommend that users take steps to protect their data, such as disabling app tracking permissions, using ad blockers, and regularly resetting advertising identifiers on mobile devices.