Last week, major location data broker Gravy Analytics disclosed a data breach that may have resulted in the theft of precise location data for millions of people, reports TechCrunch. That appears to include data from popular mobile games like Candy Crush, as well as dating apps, pregnancy tracking apps, and more, as 404 Media wrote on Thursday, following up its report of the breach two days earlier.
Baptiste Robert, CEO of digital security company Predicta Lab, said in a series of posts Wednesday that the small sample data set published in a Russian forum contained data for “tens of millions of data points worldwide” and included “sensitive locations like the White House, Kremlin, Vatican, military bases, and more.” As TechCrunch notes, the sample alone contained more than 30 million locations.
Visualizing such a massive amount of location data is no easy task.
Google Earth Pro crashed at 500k location points, and our OSINT platform hit its limit at 1.5 million. Even if it is “just” a sample, rendering the entire dataset at once is a real challenge. pic.twitter.com/VTZGjsG79L
— Baptiste Robert (@fs0c131y) January 8, 2025
Gravy said in its disclosure to the Norwegian Data Protection Authority that it “identified unauthorized access to its AWS cloud storage environment” on January 4th. It says in the disclosure that it’s still investigating how long hackers had access to its cloud environment and whether the hack “constitutes a reportable personal data breach.” As for what or who was affected, the company writes:
Gravy Analytics is working diligently to determine the scope of the incident and the nature of the information involved. Preliminary findings indicate that an unauthorized person obtained certain files, which could contain personal data. These are currently being analyzed. If it is determined that personal data is involved, that personal data is likely associated with users of third-party services that supply this data to Gravy Analytics.
Gravy Analytics was one of two data brokers targeted last month in a proposed FTC order that forbids it from “selling, disclosing, or using sensitive location data in any product or service.” The FTC at the time wrote that its subsidiary, Venntel, collected data from apps and sold access to that data to businesses or government agencies, including the IRS, DEA, FBI, and ICE.
