The privacy of millions of people around the world is at risk following an attack on a massive data localization broker.
404 Media first reported news of a potential data breach against Gravy Analytics on January 7, 2025, after a hacker threatened to publicly post the stolen data on a forum.
Venntel’s parent company, Gravy Analytics, is an American data tracking broker that holds the data of millions of iPhone and Android users around the world. The hacker claimed the compromised information included smartphone users’ location data that could show people’s precise movements.
The Gravy Analytics hack is the latest reminder of the dangers of the data broker industry. It also once again highlights the need to minimize the information you share online as much as possible.
Gravy Analytics Hack
“This is not a typical data breach, this is a threat to national security,” wrote Baptiste Robert, CEO of digital security company Predicta Lab, in a lengthy X thread after reviewing a sample of the leaked dataset.
The total sample size is 1.4 GB and contains over 30 million compromised locations worldwide. These include devices located in highly sensitive locations such as the White House in Washington, the Kremlin in Moscow, Vatican City and some military bases around the world.
The data locations of daily users of popular apps also appear to have been leaked. These include dating app Tinder, music player Spotify and even the popular mobile game Candy Crush.
And that’s just a sample of what we know so far. “Based on the hacker’s claim that he had 10TB of history, the data set would likely contain approximately 217,494,792,857 locations,” Robert wrote.
Hackers claim to have hacked Gravy Analytics, a US location data broker selling to government agencies. They shared 3 samples on a Russian forum, exposing millions of location points in the United States, Russia and Europe. It’s OSINT time! 👇 pic.twitter.com/sVlEEgEFcFJanuary 8, 2025
The Gravy Analytics hack is a stark reminder that your mobile apps are actively sharing your sensitive information like, in this case, your data location with data brokerage firms for profit.
Even Europeans, where stricter data protection laws, such as GDPR, are in place, do not seem immune from this threat.
For example, Norwegian company Unacast, parent company of Gravy Analytics, also confirmed the breach which affected more than 146,000 pieces of information on Norwegian mobile devices. On January 4, 2025, the company disclosed details of the leak to the country’s data protection authorities in order to launch an investigation as required by law.
According to Šarūnas Sereika, senior product manager at VPN provider Surfshark, the Gravy Analytics breach “highlights the critical importance of protecting personal location data.”
How to protect your data online
In his X thread, Robert from Predicta Lab suggests reviewing your phone’s permissions as soon as possible to minimize data collection and sharing, whether you live in the EU, UK, or any other country protected by data protection legislation.
On Android, you need to head to Settings, Privacy, Ads and tap Remove Advertising ID. If you’re an iPhone user, go to Settings, Privacy & Security, Tracking, then tap Allow apps to request tracking.
“For privacy reasons, turn off location and Wi-Fi when you don’t need them to avoid being tracked. If an app is showing ads, uninstall it. It’s probably sharing your location with third parties.” , he added.
Gravy Analytics Breach Highlights Crucial Importance of Protecting Personal Location Data
Sarunas Sereika, Surfshark
As Surfshark’s Sereika explains, the many affected apps – including Tinder, Spotify and Citymapper – “were compromised without users’ explicit consent, exposing precise location data, timestamps and enabling detailed tracking of users’ movements.” .
That’s why it’s crucial to review all your mobile apps and turn off any permissions like sharing location data when they’re not necessary for the service to function as it should.
I also recommend connecting to one of the best VPN services every time you connect to the Internet, especially when using public Wi-Fi. A virtual private network (VPN) is, in fact, software that encrypts all of your Internet connections while hiding the location of your real IP address.
Finally, you should consider using a data deletion service like Incogni to help you exercise your right to be forgotten and ask data brokers to delete any data they have on you.
