A major data breach makes precise locations for users of many popular apps public.

A major data breach at Gravy Analytics seems to have occurred, revealing the exact location data of millions of users of popular smartphone games like Candy Crush, Tinder and MyFitnessPal. Here are some important details about the ongoing leak.

The Gravy Analytics breach has affected users from many leading smartphone apps.

Gravy Analytics, a location data broker that stores data from millions of iOS and Android users, was hacked.

Last week, an hacker claimed to have carried out the breach as reported by 404Media for the first time. But now, data is being released that confirms the claim and simultaneously shows how serious it is.

Millions of precise location data were leaked, showing users' favorites like their home, work place and more.

The existence of this data is reported to be derived from an application call process called Real-Time Bidding (RTB), which determines the advertisements shown to users.

Zach Whittaker from TechCrunch explains:

In this almost immediate auction, all bidding ads can see some information about your device, such as the manufacturer and model, its IP addresses (which can be used to determine a person's exact location), and in some cases even more precise location data if the user allows it, along with other technical factors that help determine which ad is shown to a user.

But as a byproduct of this process, any bidder who bids or anyone who exactly observes these auctions can also access this treasure trove of so-called "bidstream" data, which contains information about devices. Data brokers, including those selling to governments, can combine these collected information with other data from other sources about these people to create a detailed picture of someone and their location.

Gravy Analytics is such a data broker, and now its database has been breached and is publicly online.

Many users of popular ad platforms were affected.

Joseph Cox writes in WIRED:

The list includes dating apps like Tinder and Grindr; large games like Candy Crush, Temple Run, Subway Surfers and Harry Potter: Puzzles & Spells; the transit app Moovit; My Period Calendar & Tracker, a menstruation tracking app with over 10 million downloads; the popular fitness app MyFitnessPal; the social network Tumblr; Yahoo's email client; Microsoft's Office app for 365; and the flight tracker Flightradar24. The list also mentions several religious apps like Muslim Prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps that some users may download ironically to protect their privacy.

You can find a complete list here compiled by someone.

Good news for iPhone users?

The details of the breach are still being revealed, but there is some good news in particular for iPhone users.

Baptiste Robert, CEO of the digital security firm Predicta Lab, told TechCrunch that if you deny an app's request to track, "your data was not shared with this app".

Robert means the "request for permission not to track", a permission notification built into iOS by Apple.

In a post on X, Robert encourages users to go to the settings under Privacy and Security and deactivate tracking-capable apps there. You will also see whether you have previously granted permissions for tracking or not.

There is no official announcement from Apple yet, but if Robert is correct, the Gravy Analytics breach should affect fewer iPhone users than planned.

We will keep you updated on important developments in the Gravy Analytics breach as more information becomes available.

The best iPhone accessories

• 100W charger for fast charging
• 6.6-foot USB-C cable for greater range
• AirPods Pro 2 (now only $179, reduced from $249)
• MagSafe car adapter for iPhone
• 4-pack of intelligent sockets for HomeKit