The privacy of millions of people around the world is at risk following an attack on a huge data localization broker.
News of a potential data breach against Gravy Analytics was first reported by 404 Media on January 7, 2025, after a hacker threatened to publicly post the stolen data on a forum.
Venntel’s parent company, Gravy Analytics, is an American data localization broker that holds data on millions of iPhone and Android users around the world. The hacker claimed that the compromised information included location data of smartphone users that could show people’s precise movements.
The Gravy Analytics hack is the latest reminder of the dangers linked to the data broker industry. It also sheds light once again on the need to minimize the information shared online as much as possible.
Gravy Analytics Trick
“This is not your typical data breach, it is a threat to national security,” wrote Baptiste Robert, CEO of digital security firm Predicta Lab, in a long X thread after reviewing a sample of the leaked data set.
The total sample size is 1.4 GB and contains more than 30 million compromised locations worldwide. These include devices located in very sensitive locations such as the White House in Washington, the Kremlin in Moscow, Vatican City and some military bases around the world.
It also appears that the data locations of regular users of popular apps have been leaked. These include dating app Tinder, music player Spotify, and even the much-loved mobile game Candy Crush.
And this is just a sample of what we know so far. “Based on the hacker’s claim of having 10 TB of history, the entire data set would likely contain approximately 217,494,792,857 locations,” Robert wrote.
The hackers claim to have breached Gravy Analytics, a US location data broker that sells to government agencies. They shared 3 samples on a Russian forum, exposing millions of location points in the US, Russia and Europe. It’s OSINT time! 👇 pic.twitter.com/sVlEEgEFcFJanuary 8, 2025
The Gravy Analytics hack is a stark reminder that its mobile apps actively share your sensitive information like, in this case, your location data with for-profit data brokering companies.
Even Europeans, where stricter data protection laws such as GDPR exist, do not appear to be exempt from this threat.
For example, Norway-based company Unacast, parent company of Gravy Analytics, also confirmed the breach that affected more than 146,000 data stored on Norwegian mobile devices. On January 4, 2025, the firm disclosed details of the leak to the country’s data protection authorities to initiate an investigation as required by law.
According to Šarūnas Sereika, senior product manager at VPN provider Surfshark, the Gravy Analytics breach “underscores the critical importance of safeguarding personal location data.”
How to protect your data online
In his thread of data.
On Android, you need to go to Settings, Privacy, Ads and tap Remove Advertising ID. If you’re an iPhone user, head to Settings, Privacy & security, Tracking, and tap Allow apps to request tracking.
“For privacy reasons, disable location and Wi-Fi when not necessary to avoid being tracked. If an app displays ads, uninstall it. It probably shares your location with third parties,” he added.
Gravy Analytics breach underscores critical importance of safeguarding personal location data
Sarunas Sereika, Surfshark
As Surfshark’s Sereika explains, the many affected apps, including Tinder, Spotify and Citymapper, “were compromised without users’ explicit consent, exposing precise location data, timestamps and allowing detailed tracking of users’ movements.” .
That’s why it’s essential to review all your mobile apps and disable all permissions, such as sharing location data, when they are not necessary for the service to function as it should.
I also recommend connecting to one of the best VPN services every time you connect to the Internet, especially when you’re on public Wi-Fi. A virtual private network (VPN) is, in fact, software that encrypts all your Internet connections while masking the location of your real IP address.
Finally, you should consider using a data deletion service like Incogni to help you exercise your right to be forgotten and ask data brokers to delete all data they have about you.
