Massive data breach exposes location history of millions of popular app users
Breach involves the theft of an estimated 10 terabytes of data
A major data breach has potentially compromised the location data of millions of users of apps like Spotify and Vinted, including in the UK.
Hackers are believed to have targeted US-based location data broker Gravy Analytics (GA), exposing sensitive information from users of thousands of popular apps, including Spotify, Vinted, Candy Crush, and Tinder.
The breach, first reported on the dark web by a hacker known as "Nightly," involves the theft of an estimated 10 terabytes of data, potentially containing years of location history, GPS coordinates, and IP addresses from millions of devices.
A 1.4GB sample of the data, verified by cybersecurity experts as originating from GA, has already been released online, containing location records for over 10 million individuals.
"It passes the smell test 100 percent," Marley Smith, the principal threat researcher at cyber intelligence company RedSense, told Reuters.
John Hammond, a cybersecurity expert with Huntress, said the data appeared legitimate.
"It all seems to point to it being legitimate," Hammond noted.
It is estimated that around 20 million people in Britain have used at least one of the apps affected by the breach.
While the extent of the data compromised for each individual user remains unclear, the potential consequences are significant. Stolen location data can be used by criminals for various malicious activities, including targeted scams, identity theft, and even blackmail.
In the past, cybersecurity experts have raised concerns around the widespread tracking of user location data by mobile apps.
Many apps, often without explicit user consent, collect and share location data with third parties for targeted advertising and other purposes.
GA is a major player in the location data brokering industry, selling user location data to various entities, including government agencies, hedge funds, and insurance companies.
Vinted acknowledged the potential impact on their users, saying it is investigating the situation.
"We are taking this matter seriously, as the safety of our members is a top priority," a spokesperson said.
"We are actively looking into the situation to determine whether our platform or members may have been affected, including any potential indirect impact through third parties. At this time, we do not have enough information to confirm any connection or impact."
Tinder denied any direct relationship with GA but sad it was investigating the claims.
Gravy Analytics has faced scrutiny in the past for its data collection practices.
The company was recently embroiled in controversy following a crackdown by the Biden administration on data brokers specialising in hyper-granular location tracking.
In December, Gravy Analytics and a second broker, Mobilewalla, settled with the Federal Trade Commission (FTC) after being accused of deceptive practices. According to the FTC, both companies had been collecting location data from mobile users without obtaining proper consent.
Last month, FTC Chair Lina Khan highlighted the broader risks associated with the industry.
"The multi-billion-dollar industry built around targeted advertising may presently leave Americans' sensitive data extraordinarily exposed," Khan said in a statement.