A recent data breach involving location data company Gravy Analytics has uncovered widespread exploitation of mobile apps to harvest sensitive user location data. Apps ranging from popular games like Candy Crush to prayer and fitness apps have reportedly been used to collect location data, often without the knowledge of users or even the app developers themselves.
The breach sheds light on the shadowy practices of the advertising industry, where sensitive information is extracted through real-time bidding (RTB) processes. Companies bid to place ads inside mobile apps, and data brokers can intercept location data during these transactions. Unlike older methods where developers integrated location-tracking code into apps, the RTB ecosystem allows rogue advertisers to gather data surreptitiously.
Gravy Analytics, known for collating and selling location data, has come under scrutiny for its connections to these practices. The breach revealed tens of millions of mobile phone coordinates from users across the U.S., Europe, and Russia. Files from the hack linked location data to specific apps, implicating widely used services like Tinder, Grindr, Microsoft 365, and MyFitnessPal.
Gravy’s subsidiary, Venntel, has previously been criticized for selling location data to U.S. law enforcement. The hacked data’s source remains unclear, but Gravy Analytics either collected it directly or obtained it from third parties. Regardless, the implications are significant: users’ sensitive information, including visits to places of worship and health clinics, may have been compromised.
The Federal Trade Commission (FTC) has taken steps to address these practices. Location data company Mobilewalla was barred from collecting consumer data through advertising auctions for purposes beyond the auctions themselves. Gravy Analytics and Venntel were ordered to delete historical location data and banned from selling information related to sensitive locations except in specific circumstances.
This breach underscores the growing privacy risks in the digital advertising ecosystem. Users are encouraged to be vigilant by limiting app permissions and blocking advertisements to reduce exposure to such data collection practices. Meanwhile, calls for stricter regulations on location data harvesting are intensifying to protect consumer privacy.