(Credit: alexsl/Getty Images)
A leak at data broker Gravy Analytics might have exposed precise location data from some of the most popular Android and iOS apps, 404Media reports.
While the impact of the breach is unconfirmed, a screenshot posted by the hackers on the Russian cybercrime forum XSS indicated they have the "personal data of millions" of users.
According to screenshots posted on X by Baptiste Robert, CEO of digital security company Predicta Lab, the exposed data also includes location information from the White House, Kremlin, Vatican, military bases, and other sensitive areas.
Affected apps include Temple Run, Subway Surfers, Tinder, Grindr, MyFitnessPal, Candy Crush, Truecaller, 9GAG, Microsoft 365, and others. The full list shared by Wired also had some pregnancy-tracker and religion-focused apps.
Gravy Analytics notified the Norwegian Data Protection Authority of the breach last week, stating that it identified unauthorized access to its AWS cloud storage on Jan. 4 via a "misappropriated access key." According to 404Media, since Gravy collects data from the advertising ecosystem, the breach likely occurred without the users' or app developers' knowledge.
If users have denied an app's request to track their location, their data has not been leaked, Robert tells TechCrunch. To disable app tracking, iPhone users can go to Settings > Privacy & Security > Tracking, and Android users can go to Settings > Privacy and disable app tracking permissions for each app.
Gravy Analytics typically sells its harvested data to commercial companies or, at times, US government agencies through its subsidiary, Venntel. Under a proposed order in December, the FTC had initiated actions against Gravy and Venntel for "unlawfully tracking and selling sensitive location data from users." The agency also planned to prohibit the two companies from selling or sharing sensitive location data "except in limited circumstances involving national security or law enforcement."