Privacy of millions worldwide compromised as huge data location broker got hacked

The privacy of millions of people worldwide is at risk following an attack against a huge data location broker.

404 Media first reported the news of a potential data breach against Gravy Analytics on January 7, 2025, after a hacker threatened to publish the stolen data publicly on a forum.

The parent company of Venntel, Gravy Analytics, is a US data location broker that holds data from millions of iPhone and Android users worldwide. The hacker claimed that the compromised information included smartphone users' location data that could show peoples' precise movements.

The Gravy Analytics hack is the latest reminder of the dangers linked to the data broker industry. It also sheds light yet again on the need to minimize the information you share online as much as possible.

Gravy Analytics hack

"This isn’t your typical data leak, it’s a national security threat," wrote Baptiste Robert, the CEO of digital security firm Predicta Lab, in a long X thread after reviewing a sample of the leaked dataset.

The total size of the sample is 1.4 GB and contains over 30 million compromised locations worldwide. These include devices located at very sensitive places like the White House in Washington, the Kremlin in Moscow, Vatican City, and some military bases around the world.

The data locations of everyday users of popular apps also appear to have been leaked. These include the dating app Tinder, music player Spotify, and even the much-loved mobile game Candy Crush.

And this is just a sample of what we know so far. "Based on the hacker’s claim of having 10 TB of history, the entire dataset would likely contain approximately 217,494,792,857 locations," wrote Robert.

The Gravy Analytics hack is a stark reminder that your mobile apps are actively sharing your sensitive information like, in this case, your data location with data broker companies for profit.

Even Europeans, where stricter data protection laws like GDPR are in place, appear not to be exempt from this threat.

For instance, Norway-based company Unacast, the parent company of Gravy Analytics, also confirmed the breach which impacted over 146 thousand information on Norwegian mobile devices. On January 4, 2025, the firm disclosed details of the leak with the country’s data protection authorities to kick off an investigation as required by law.

According to Šarūnas Sereika, Senior Product Manager at VPN provider Surfshark, the Gravy Analytics breach "underscores the critical importance of safeguarding personal location data."

How to protect you online data

In his X thread, Robert from Predicta Lab suggests reviewing your phone's permissions as soon as possible to minimize data collection and sharing – no matter if you're living in the EU, UK, or any other country protected by data protection legislation.

On Android, you should head on Settings, Privacy, Ads, and tap on Delete advertising ID. If you're an iPhone user, head on Settings, Privacy & Security, Tracking, and tap on Allow Apps to Request To Track.

"For privacy, disable location and Wi-Fi when not needed to avoid being tracked. If an app shows ads, uninstall it. It likely shares your location with third parties," he added.

As Sereika from Surfshark explains, the many apps impacted – including Tinder, Spotify, and Citymapper – "were compromised without users' explicit consent, exposing precise location data, timestamps, and enabling detailed tracking of users’ movements."

This is why it's crucial to review all your mobile applications and disable all the permissions like location data sharing when these aren't needed for the service to work as it should.

I also recommend connecting to one of the best VPN services every time you connect to the internet, especially when you are on public Wi-Fi. A virtual private network (VPN) is, in fact, software that encrypts all your internet connections while masking your real IP address location.

Lastly, you should consider using a data removal service like Incogni to help you exercise your right to be forgotten and request data brokers to delete all the data they have on you.