Our smartphones and different units accumulate after which transmit large quantities of information about us to dozens, perhaps a whole bunch, of third-party corporations each single day. This consists of our location data, and the marketplace for such data is large. Naturally sufficient, the shopping for and promoting goes on with out our data, creating obscure dangers to our privateness.
The current hack of location knowledge dealer Gravy Analytics clearly illustrates the potential pitfalls of such practices. This put up analyzes how knowledge brokers function, and what can occur if the data they accumulate leaks. We additionally give tips about what you are able to do to guard your location knowledge.
What location knowledge brokers are
Information brokers are corporations that accumulate, course of, and promote details about customers. They get this data from cell apps, on-line advert networks, on-line analytics techniques, telecom operators, and a number of different sources from smart-home units to automobiles.
In principle, this knowledge is just collected for analytics and focused promoting. In observe, nonetheless, there are sometimes no restrictions on utilization, and seemingly anybody should purchase it. So, on the market in the true world, your knowledge can be utilized for just about any function. For instance, an investigation final yr revealed that industrial knowledge brokers — straight or by intermediaries — could even serve authorities intelligence businesses.
Information brokers accumulate every kind of person data, of which one of the crucial vital and delicate classes is location knowledge. It’s so in demand, in reality, that apart from extra generalized knowledge brokers, companies exist that target it particularly.
These are the location-data brokers — organizations focusing on gathering and promoting details about person location. One of many main gamers on this section is U.S. location monitoring agency Gravy Analytics, which merged with Norway’s Unacast in 2023.
The Gravy Analytics knowledge leak
In January 2025, information broke of an information leak at Gravy Analytics. At first it was confined to unofficial stories primarily based on a put up that appeared on a personal Russian-language hacker discussion board. The poster claimed to have hacked Gravy Analytics and stolen the placement knowledge of tens of millions of customers, offering screenshots of the information trove as proof.
It wasn’t lengthy earlier than official affirmation got here by. Underneath Norwegian legislation, Gravy Analytics’ guardian, Unacast, was legally required to inform the nationwide regulator.
The corporate’s assertion reported that on January 4, an unauthorized particular person gained entry to Gravy Analytics’ AWS cloud storage surroundings “by a misappropriated entry key”. The intruder “obtained sure information, which may comprise private knowledge”.
Evaluation of the information Gravy Analytics leaked
Unacast and Gravy Analytics have been in no hurry to specify what knowledge may have been compromised. Nonetheless, inside a couple of days, an impartial safety researcher revealed their very own in-depth evaluation of the leaked data primarily based on a pattern of the stolen knowledge they’d been capable of get hold of.
The Gravy Analytics leak included the placement knowledge of customers worldwide. Supply
It turned out that the Gravy Analytics hack did certainly leak a huge set of location knowledge of customers worldwide — from Russia to the US. The fragment analyzed by the researcher was 1.4GB in dimension, and consisted of round 30 million information — principally collected within the first days of January 2025. In the meantime, the hacker claimed the stolen database is 10TB, that means it may doubtlessly comprise over 200 billion information!
This knowledge was collected by cell apps and bought by Gravy Analytics to be aggregated and subsequently offered to shoppers. Because the evaluation of the leak confirmed, the listing of apps used to gather location knowledge runs into the hundreds. For instance, the pattern studied contained knowledge collected from 3455 Android apps — together with relationship apps.
UK-based Tinder customers’ location knowledge is an instance of what could be discovered within the knowledge leaked from Gravy Analytics. Supply
Monitoring and deanonymizing customers with the Gravy Analytics’ leak knowledge
What’s most disagreeable in regards to the Gravy Analytics hack is that the leaked database is linked to promoting IDs: IDFA for iOS and AAID for Android units. In lots of circumstances, this makes it potential to trace customers’ actions over time. Right here, as an example, is a map of such actions within the neighborhood of the White Home in Washington, D.C. (keep in mind that this visualization makes use of solely a small pattern of the stolen knowledge; the complete database comprises much more):
Information within the Gravy Analytics leak linked to promoting IDs can be utilized to trace customers’ actions over time. Supply
Worse but, some knowledge could be deanonymized. For instance, the researcher was capable of observe the actions of a person who visited the Blue Origin launch pad:
An instance of person deanonymization utilizing location knowledge leaked from Gravy Analytics. Supply
One other instance: the researcher was capable of observe a person’s actions from the Columbus Circle landmark in Manhattan, New York Metropolis, to his residence in Tennessee, after which to his dad and mom’ home the subsequent day. Primarily based solely on OSINT knowledge, the researcher realized an excellent deal about this particular person, together with their mom’s title and the truth that their late father was a U.S. Air Drive veteran.
One other instance of person deanonymization utilizing location knowledge leaked from Gravy Analytics. Supply
The Gravy Analytics knowledge breach demonstrates the intense dangers related to the information dealer trade, and placement knowledge brokers particularly. Because of the hack, an enormous quantity of person location information collected by cell apps spilled out into the general public area.
This knowledge makes it potential to trace the actions of an excellent many individuals with pretty excessive accuracy. And although the leaked database doesn’t comprise direct private identifiers akin to first and final names, ID numbers, addresses, or telephone numbers, the linkage to promoting IDs can in lots of circumstances result in deanonymization. So, primarily based on numerous quasi-identifiers, it’s potential to ascertain a person’s id, discover out the place they reside and work, in addition to hint their social connections.
How one can shield your location knowledge?
Sadly, gathering person location knowledge is now such a widespread observe that there’s no straightforward reply to this query. Alas, there’s no swap you may merely flick to cease all of the web corporations worldwide harvesting your knowledge.
That mentioned, you may no less than decrease the quantity of details about your location that falls into the palms of information brokers. Right here’s how:
- Be strict with apps asking for entry to location knowledge. Typically, they’ll work simply effective with out it — so until there’s a compelling cause for the app to know your location, simply say no.
- Rigorously configure privateness in apps that genuinely want your geolocation to perform. For instance, see our guides to configuring all the preferred operating apps.
- Don’t enable apps to trace your location within the background. When granting permissions, all the time choose the “Solely whereas utilizing the app” choice.
- Uninstall apps you now not use. On the whole, attempt to preserve the variety of apps in your smartphone to a minimal — it will cut back the variety of potential knowledge collectors in your system.
- When you use Apple iOS, iPadOS, or tvOS units, choose out of app monitoring. This can stop knowledge collected on you from being deanonymized.
- When you use Android, delete your system’s promoting ID. If this feature is unavailable in your OS model, reset the promoting ID usually.
- Set up a strong safety resolution able to blocking ad-tracking on all of your units.
For extra tips about find out how to put the brakes on generalized knowledge brokers gathering data on you, see our put up Advertisers sharing knowledge about you with… intelligence businesses.
