Topics
Latest
AI
Amazon
Image Credits:Bryce Durbin / TechCrunch
Apps
Biotech & Health
mood
Image Credits:Bryce Durbin / TechCrunch
Cloud Computing
Commerce
Crypto
A map showing Tinder users located across the United Kingdom.Image Credits:Baptiste Robert / X
endeavour
EVs
Fintech
fundraise
contraption
game
Government & Policy
computer hardware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
speculation
More from TechCrunch
upshot
Startup Battlefield
StrictlyVC
Podcasts
TV
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
A hack and data breach at localisation data agent Gravy Analytics is jeopardise the secrecy of millions of people around the world whose smartphone apps unwittingly revealed their localisation data collected by the data heavyweight .
The full scale of measurement of the data point rift is n’t yet known , but the say hacker has already issue a large sample of position data from top consumer sound apps — include fittingness and wellness , geological dating , and transit apps , as well as popular game . The data stand for decade of millions of location datum points of where people have been , populate , work , and trip between .
tidings of the falling out broke last weekend after a hacker posted screenshots of location data point on a shut - access Russian language cybercrime forum , claiming they had steal several tebibyte of consumer ’ datum from Gravy Analytics . autonomous news show outlet404 Mediafirst cover the assembly post allege the patent breach , which claimed to include the historical localisation data of millions of smartphones .
Norse broadcaster NRK cover on January 11 that Unacast , the parent society of Gravy Analytics , let on the breachwith the nation ’s datum security self-confidence as require under its constabulary .
Unacast , founded in Norway in 2004 , merge with Gravy Analyticsin 2023to create what it bluster at the clip as “ one of the largest ” collections of consumers ’ location data . Gravy Analytics claims to track more than a billion devices around the world daily .
Inits datum breach noticefiled with Norway , Unacast say it identified on January 4 that a hacker acquired files from its Amazon cloud environment through a “ malversate key . ” Unacast tell it was made aware of the falling out through communication with the drudge , but the companionship hand no further details . The troupe said its operations were concisely charter offline follow the breach .
Unacast said in the notice that it also advise U.K. information tribute federal agency of the falling out . Lucy Milburn , a spokesperson for the U.K. ’s Information Commissioner ’s Office , confirm to TechCrunch that the ICO has “ received a report from Gravy Analytics and are do enquiry . ”
Unacast executive Jeff White and Thomas Walle did not turn back multiple electronic mail from TechCrunch this workweek requesting remark . In an unattributed statement from a generic Gravy Analytics electronic mail accountsent to TechCrunchon Sunday , Unacast acknowledged the breach , saying that its “ investigation remains ongoing . ”
Gravy Analytics ’ website was still down at the time of written material . Several other domains consociate with Gravy Analytics also appeared to be non - functional , fit in to checks by TechCrunch over the preceding week .
30 million location data points leaked so far
datum privacy counsel have long warned of the risks that data brokers pose to individual ’ privacy and national security measures . Researchers with admission to the sample of Gravy Analytics ’ fix data posted by the hacker say that the information can be used to extensively tag people ’s recent whereabouts .
Baptiste Robert , the CEO of digital security firm Predicta Lab who prevail a written matter of the leak dataset , said in athread on Xthat the dataset contained more than 30 million location data points . These admit devices located at The White House in Washington , D.C. ; the Kremlin in Moscow ; Vatican City ; and military floor around the earthly concern . One of the maps share by Robertshowed the location datum of Tinder usersacross the United Kingdom . Inanother post , Robert showed it was possible to describe individuals likely serving as military personnel by overlapping the steal position data with the locations of known Russian military facility .
Robert warned that the information also allow for promiscuous deanonymization of average individuals ; in one example , the data point cross a person as they trip from New York to their home in Tennessee . Forbesreported about the dangersthat the dataset has for LGBTQ+ users , whose positioning datum derived from certain apps could identify them in countries that criminalize homosexuality .
intelligence of the breach comes week afterthe Federal Trade Commission bannedGravy Analytics and its subsidiary Venntel , which provides location datum to governing agencies and constabulary enforcement , from pull together and sell Americans ’ location data without consumer ’ consent . The FTC accuse the party of unlawfully tracking millions of people to tender locations , like healthcare clinics and military base .
Location data tapped from ad networks
Gravy Analytics sources much of its location data froma unconscious process call real - time bid , a key part of the on-line advert diligence that determines during a milliseconds - short auction which adman become to deliver their advertizing to your gimmick .
During that good - instant auction , all of the bidding advertisers can see some information about your gimmick , such as the Godhead and model eccentric , its IP addresses ( which can be used to understand a mortal ’s approximate location ) , and , in some cases , more precise location data if granted by the app drug user , along with other technical divisor that serve shape which ad a substance abuser will be displayed .
But as a by-product of this outgrowth , any advertizer that bids — or anyone close monitoring these auctions — can also access that trove of so - called “ bidstream ” data contain twist information . data point brokers , including those who betray to government , can combine that collected information with other information about those somebody from other sources to paint a detailed picture of someone ’s life and whereabouts .
Analyses of the emplacement data by security system research worker , including Predicta Lab ’s Robert , reveal thousands of advertising - display apps that have partake , often unknowingly , bidstream data point with data brokers .
Asnoted by 404 Media , it is unclear how Gravy Analytics derived its massive troves of location data , such as whether the company collected the datum itself or from other datum brokers . 404 Media found that large amount of the position information was inferred from the gimmick owner ’s IP address , which is geolocated to approximate their real - man location , rather than trust on the gadget owner leave the app to reach the gadget ’s accurate GPS co-ordinate .
What you can do to prevent ad surveillance
Android gimmick and iPhones also bake in gimmick - level features that make it more hard for advertisers to track you between apps or across the web , and link your pseudonymous equipment data to your real - world identity . The EFF also has agood guideon how to see these machine configurations .
If you have an Apple gimmick , you’re able to go to the “ Tracking ” options in your options andswitch off the setting for app requests to track . This zeroes out your equipment ’s alone identifier , making it indistinguishable from anyone else ’s .
“ If you disenable the app trailing , your data has not been shared , ” Robert told TechCrunch .
Android drug user should go to the “ Privacy ” then “ Ads ” section of their earpiece ’s setting . If the option is available , you’re able to delete your publicizing ID to prevent any app on your headphone get at your gimmick ’s unique identifier in the future . Those without this scope should still regularly reset their advertising IDs .
Preventing apps from accessing your precise placement when it ’s not require will also help oneself reduce your data footprint .
Updated with comment from the ICO .
Contact Zack Whittaker securely on Signal and WhatsApp at +1 646 - 755 - 8849 . you’re able to also share written document securely with TechCrunch viaSecureDrop .
