Tuesday, January 14, 2025

Gravy Analytics Hacked

Joseph Cox:

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.

[…]

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem —not code developed by the app creators themselves— this data collection is likely happening both without users’ and even app developers’ knowledge.

Nick Heer:

You remember Gravy Analytics, right? It is the one from the stories and the FTC settlements, though it should not be confused with all the other ones.

Juli Clover:

Gravy Analytics’ parent company Unacast disclosed the data breach earlier this month [PDF], and said that its AWS cloud storage environment had been accessed by an unauthorized person using a “misappropriated access key.”

[…]

The order required Gravy Analytics to delete all historic location data and any data products developed using data collected from consumers, but it was apparently too late because the company’s systems had likely already been breached at the time.

Gravy Analytics collects location data through a real-time ad bidding process that allows companies competing to buy an ad to see customer IP address and more precise location data if enabled.

[…]

Baptiste Robert, CEO of security firm Predicta Lab, told TechCrunch that iPhone users that had app tracking disabled did not have their data shared.

See also: Bruce Schneier:

Previously:

1 Comment RSS · Twitter · Mastodon


Old Unix Geek

I wonder whether corporate death penalty would work to make these companies take security seriously: your investors will lose their investment, and your management will be replaced and banned from working in tech.

Leave a Comment