The privacy of millions of people worldwide is at risk after an attack against a huge data location broker.
404 Media first reported the news of a potential data breach against Gravy Analytics on January 7, 2025, after a hacker threatened to post the stolen data publicly on a forum.
Venntel’s parent company, Gravy Analytics, is an American data location broker that has data from millions of iPhone and Android users worldwide. The hacker claimed that the compromised information included smartphone users’ location data that could show people’s precise movements.
The Gravy Analytics hack is the latest reminder of the dangers associated with the data brokerage industry. It also highlights once again the need to minimize the information you share online as much as possible.
Gravy Analytics hack
“This is not your typical data breach, this is a national security threat,” wrote Baptiste Robert, CEO of digital security firm Predicta Lab, in a lengthy X thread after reviewing a sample of the leaked data set.
The total size of the sample is 1.4 GB and contains over 30 million compromised locations worldwide. These include devices located in highly sensitive locations such as the White House in Washington, the Kremlin in Moscow, Vatican City and some military bases around the world.
The data locations of regular users of popular apps also appear to have been leaked. These include the dating app Tinder, the music player Spotify and even the much-loved mobile game Candy Crush.
And this is just a sampling of what we know so far. “Based on the hacker’s claim of having 10 TB of history, the entire dataset is likely to contain approximately 217,494,792,857 locations,” Robert wrote.
The Gravy Analytics hack is a stark reminder that your mobile apps are actively sharing your sensitive information, like in this case your data location, with data brokers for profit.
Even Europeans, where stricter data protection laws such as GDPR are in place, do not appear to be exempt from this threat.
For example, Norwegian-based company Unacast, the parent company of Gravy Analytics, also confirmed the breach, which affected over 146 thousand data on Norwegian mobile devices. On January 4, 2025, the company disclosed details of the leak with the country’s data protection authorities to launch an investigation as required by law.
According to Šarūnas Sereika, Senior Product Manager at VPN provider Surfshark, the Gravy Analytics breach “underscores the critical importance of protecting personal location data.”
How to protect your online data
In his X thread, Robert from Predicta Lab suggests reviewing your phone’s permissions as soon as possible to minimize data collection and sharing – whether you live in the EU, UK or any other country protected by data protection laws.
On Android, go to Settings, Privacy, Ads and tap Delete Advertising ID. If you’re an iPhone user, go to Settings, Privacy & Security, Tracking and tap Allow apps to request tracking.
“For privacy reasons, turn off location and Wi-Fi when not needed to avoid being tracked. If an app is showing ads, uninstall it. It’s probably sharing your location with third parties,” he added.
The Gravy Analytics breach underscores the critical importance of protecting personal location data
Šarūnas Sereika, Surfshark
As Sereika of Surfshark explains, the many affected apps – including Tinder, Spotify and Citymapper – were “compromised without users’ express consent, exposing precise location data, timestamps and enabling detailed tracking of users’ movements.”
This is why it is crucial to go through all your mobile applications and disable all permissions such as location data sharing when these are not necessary for the service to function as it should.
I also recommend connecting to one of the best VPN services every time you connect to the Internet, especially when you’re on public Wi-Fi. A virtual private network (VPN) is actually software that encrypts all of your internet connections while masking your real IP address.
Finally, you should consider using a data removal service like Incogni to help you exercise your right to be forgotten and request data brokers to delete all the data they hold about you.
