A significant data breach at Gravy Analytics has reportedly exposed detailed location information of millions of users from well-known smartphone applications such as Candy Crush, Tinder, MyFitnessPal, and others. Here’s what you need to know about the ongoing breach.
Gravy Analytics breach affects users of many leading smartphone applications
Gravy Analytics, a company that specializes in collecting location data from millions of iPhone and Android users, has suffered a cyberattack.
Last week, it was reported by 404Media that a hacker successfully executed the breach. Recently, leaked data has emerged, validating these claims and revealing the extent of the problem.
Millions of pieces of accurate location data have become accessible, showing users’ frequently visited places like their homes and workplaces.
This data reportedly originates from a process known as real-time bidding (RTB), which is responsible for determining the advertisements displayed to users.
Zach Whittaker of TechCrunch explains:
During this near-instant auction, advertisers bidding can view certain device-related information, such as the manufacturer and model type, IP addresses (which can be used to estimate a person’s approximate location), and sometimes more precise location data if provided by the app user. Various technical factors also contribute to deciding which advertisement a user will see.
However, as a consequence of this process, any advertising party that bids—or anyone monitoring these auctions—can access an extensive set of ‘bidstream’ data that contains device information. Data brokers, including those that sell information to governments, can merge this data with other personal information to build a detailed profile of an individual’s life and location.
Gravy Analytics is one of these data brokers, and now its database has been compromised and is beginning to leak online.
Many popular advertising-focused applications have been affected.
Joseph Cox at WIRED notes:
The affected apps include dating platforms like Tinder and Grindr; popular games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, which has over 10 million downloads; fitness app MyFitnessPal; social media platform Tumblr; Yahoo’s email service; Microsoft’s 365 office suite; and flight tracking app Flightradar24. Additionally, there are multiple religious-focused applications, various pregnancy tracking tools, and numerous VPN applications, which some users might ironically install seeking better privacy.
A comprehensive list has been compiled and can be found here.
Positive news for iPhone users?
Details regarding the breach are still emerging, but there is an early sign of good news specifically for iPhone users.
Baptiste Robert, CEO of the digital security firm Predicta Lab, informed TechCrunch that if you declined an app’s tracking request, “your data has not been shared” by that particular app.
Robert is referencing the ‘Ask App Not to Track’ feature integrated into iOS.
In a message shared on X, Robert suggests users check Settings ⇾ Privacy & Security ⇾ Tracking to prevent apps from being allowed to request tracking permission. This screen will also show the tracking permissions you have previously granted.
An official statement from Apple has yet to be released, but if Robert’s assertions hold true, significantly fewer iPhone users should be affected by the Gravy Analytics breach.
We will keep you updated with important developments regarding the Gravy Analytics breach as more information comes to light.
Top iPhone accessories
: We utilize income-earning auto affiliate links. More.
