Data Breach Exposed Precise Location Information of Millions Using Popular Smartphone Apps

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

Data Breach Exposed Precise Location Information of Millions Using Popular Smartphone Apps

A data breach has exposed the precise location information provided by millions of users to popular apps that serve advertisements, including dating apps, games, email clients, and even a ******* tracking app. A hacker who claimed responsibility for breaching data broker Gravy Analytics managed to collect data that could reveal users’ location information, including their home and workplace. Data collected from iOS and Android smartphones was affected in the breach, but some iPhone owners may have been protected by a feature that was introduced with iOS 14.5.

Gravy Analytics Data Breach Affected Both iOS and Android Users

A recent 404 Media

This is the hidden content, please

• Sign In
• or
• Sign Up

revealed that a hacker had breached Gravy Analytics, a data broker that collects and monetises location information from applications that are designed for iOS and Android smartphones. It resulted in the exfiltration of customer lists as well as location information from smartphones “which show people’s precise movements”.

The firm’s parent company, Unacast,

This is the hidden content, please

• Sign In
• or
• Sign Up

to Norwegian authorities (

This is the hidden content, please

• Sign In
• or
• Sign Up

NRK) that a hacker managed to use a “misappropriated key” to access data via its cloud-based storage. The incident took place on January 4, according to the company’s disclosure. However, the document doesn’t reveal information related to the scale of the data breach.

According to Predicta Lab CEO Baptiste Robert, who

This is the hidden content, please

• Sign In
• or
• Sign Up

a 1.4GB sample of the leaked information, the data

This is the hidden content, please

• Sign In
• or
• Sign Up

“tens of millions of location data points”, including military bases, as well as the Kremlin, the White House, and even the ********.

Robert also stated that the sample contained a list of 3,455 package names for Android that leaked user data, while pointing out that this was only a subset of the breached data. These

This is the hidden content, please

• Sign In
• or
• Sign Up

include popular apps like Tinder, Grindr, Candy Crush, MyFitnessPal, Subway Surfers, Tumblr, and even

This is the hidden content, please

• Sign In
• or
• Sign Up

365

App Tracking Transparency May Have Protected iPhone Users

According to Robert, the sample of the data from the breach reveals that the location data is linked to a device’s advertising ID. On an Android smartphone, a user’s location is connected to their Android Advertising ID (AAID), a unique 32-digit identifier that can be reset by users. Meanwhile, iPhone users’ location is tied to the Identifier for Advertisers (IDFA), a unique alphanumeric string that is assigned to a device.

This is the hidden content, please

• Sign In
• or
• Sign Up

– Seen at Space Launch Complex 36
– Work commute mapped
– Stops at Home Depot & family visits near Kansas City logged

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up

— Baptiste Robert (@fs0c131y)

This is the hidden content, please

• Sign In
• or
• Sign Up

This means that iPhone owners who are running on iOS 14.5 or later, which includes App Tracking Transparency (ATT), were protected if they selected the Ask App Not to Track option. When a user selects this option, iOS returns an empty value instead of their IDFA. Apple also allows users to block all requests to track users by default.

The expert says iPhone owners can navigate to Settings > Privacy & Security > Tracking and disable the Allow Apps to Request To Track toggle, while Android users can head to Settings > Privacy > Ads and tap on Delete advertising ID.