A company collecting and reselling geolocation data has been hacked. User information from more than 12,000 popular apps has been stolen. A particularly delicate situation, for individuals and governments alike.
It’s a scenario considered nightmarish by cybersecurity experts that has just happened, and yet we have been spoiled recently, with successive waves of hacks! Russian cybercriminals managed to hack Gravy Analytics, an American company little known to the general public, but responsible for collecting your geolocation data for thousands of companies around the world and reselling it. A gigantic file containing the movements of millions of users around the world – including France –through their smartphones, was stolen and put up for sale on the Dark Web. Particularly sensitive information, which can make it possible to know the journey of users throughout the day and to identify them, whether they are individuals or members of the military and politicians.
According to information published by 404 Media And Wiredmore than 12,000 Android and iOS applications, whose companies worked directly or through partners with Gravy Analytics, were used to recover data, such as Candy Crush, Tinder, MyFitnessPal, Tumblr, Vinted, Yahoo Mail, MyFitnessPal and Call of Duty: Mobile. French applications like Gala, Leboncoin and Télé-Loisirs are also part of this list. The stolen documents also mention the names of several clients of the group, including Apple, Comcast, Equifax, Gannett, LexisNexis, and Uber. The hackers threaten to publish all the data if they do not receive the requested ransom. An announcement deemed credible by many cybersecurity experts and which would be a real disaster.
Gravy Analytics hack: 7 billion location identifiers stolen
The leak is simply gigantic. Hackers claim to have stolen more than 10 TB of data. They also published a sample of 30 million location identifiers, out of a total of 7 billion. This information includes the latitude, longitude and exact time of user movements. Examples provided by the hackers show phone locations in various countries, including Mexico, Morocco, the Netherlands, North Korea, Pakistan and Palestine. And, importantly, several of the identifiers have been located at the White House in Washington, the Kremlin in Moscow, Vatican City and several military bases around the world.
Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
It’s OSINT time! pic.twitter.com/sVlEEgEFcF
— Baptiste Robert (@fs0c131y) January 8, 2025
Here is the list of the main applications mentioned through the leak – a more complete list, with more than 3,000 names, is available at a GitHub page. There are dating applications, social networks, sports applications, but also thousands of games (solitaire, sudoku, poker, etc.):
- Tinder
- Grindr
- 9GAG
- MooveIt
- Vinted
- Flightradar24
- Yahoo Mail
- Yahoo Finance
- Candy Crush
- Temple Run
- Subway Surfers
- Harry Potter: Puzzles & Spells.
- Tumblr
- Kik
- Wattpad
- Leboncoin
- TV entertainment
- Radio France
- West France
- Muslim Pro
- Bible apps
- MyFitnessPal
- My Period Calendar & Tracker
- Call of Duty (Mobile)
Gravy Analytics hack: a leak with serious consequences
“Geolocation data is highly personal and sensitive. While it is generally used for marketing purposes, it can be misused for espionage purposes. It can also be used in geopolitical contexts, including in war zones”alerts Benoît Grunemwald, cybersecurity expert at ESET France. Thanks to the data collected, it is possible to track identifiers specific to a smartphone through its use of the application. This in itself does not allow us to obtain the identity of the users, since it is only a matter of “dots” placed in various places, but the most persistent third parties – like intelligence agencies, on the off chance – can combine this data with other information to recover the identity of a particular user, and thus track them. A way to learn more about your habits, your journeys, your places of residence and work, and even those around you.
Benoît Grunemwald sees two main dangers for individuals: “an increased risk of cyberattacks combining location information with other data (from previous leaks) [qui] can fuel ultra-targeted phishing attacks” And “a feeling of violation of one’s privacy, stress or fear among victims [qui] can turn into distrust towards digital technology and the companies that operate it as well as towards public authorities.” Note that European users are also affected, despite the regulations put in place by the European Union.
Additionally, the presence of military and government data in the stolen file increases national security risks. Indeed, the company provides information to several government agencies, including the FBI and Immigration and Customs Enforcement. With this data, it is entirely possible to identify individuals likely to serve in the military by overlaying stolen location data with the locations of known military installations, as Baptiste Robert of the digital security company points out Predicta Lab. As for data from apps like Grindr, it can be used to identify users in countries that criminalize homosexuality.
This is not your typical data leak, its a national security threat.
By mapping military locations in Russia alongside the location data, I identified military personnel in seconds.
Again, this is just a “sample”. pic.twitter.com/bHkmc6yROv
— Baptiste Robert (@fs0c131y) January 8, 2025
Gravy Analytics hack: massive data collection that poses a problem
Another point raises concerns. It turns out that the applications concerned did not necessarily transmit this data directly to Gravy Analytics. The company largely collected them through advertisements that collect user data. A method that allows data brokers to access precise information about users’ movements without their explicit consent.
Moreover, last December, the American Consumer Protection Agency, the FTC, accused the company of illegally selling information on Americans to government agencies and prohibited it from using the data collected without consent. of the main stakeholders. Worse, she ordered him to delete the data, estimating that the industry, worth several billion dollars and focused on “targeted advertising could alarmingly expose Americans’ sensitive data”. This proves him right…
The database has since been removed from the forum. It is impossible to know whether it was purchased by Gravy Analytics, which allegedly paid the ransom, or by a malicious third party. If you ever use one of these applications, check that it is up to date, modify access and be careful with the emails and SMS you receive in order to avoid possible phishing attempts. . To protect yourself from abusive location collection, consider turning off location and Wi-Fi when you don’t need them. Remember to go to the settings of your smartphone. On Android, go to Settings