A major data leak event exposing the precise locations of many popular app users

A major data leak involving Gravy Analytics has exposed the precise location information of millions of users of popular smartphone apps such as Candy Crush, Tinder, and MyFitnessPal. What should be known about this ongoing leak?

Gravy Analytics Security Breach Affects Many Top Smartphone App Users

Gravy Analytics, a data broker that holds location data for millions of iPhone and Android users, was hacked.

A week ago, the hacker claimed an intrusion had occurred. However, it is now confirmed that the data has started to leak and the severity of the situation is becoming apparent.

Millions of precise location data points are being made public, showing users' most visited locations. This includes various places such as homes and workplaces.

The existence of this data is reported to have occurred based on a report about the real-time bidding process in app competition that determines which ads will be displayed to users.

As Zach Whittaker explains on TechCrunch:

In near-instantaneous auctions, all advertisers can see some information about your device. This includes manufacturer and model type, IP address (which can be used to estimate the user's approximate location), and more precise location data if allowed by the app user. Additionally, other technical elements that help determine which ads will be displayed to users are also included.

However, as a byproduct of this process, anyone who participates in or closely monitors these "bid stream" data can gain access rights to it. This includes device information. Data brokers such as governments and other companies can use this personal data collected from other sources to create detailed pictures of someone's life and location.

"Gravy Analytics is one such data trading company, and now that its data has been compromised and leaked online."

Many users of popular ad delivery apps have been affected.

This list includes dating sites like Tinder and Grindr, Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells, large-scale games such as Moovit (a mobile app), the women's dating management app My Period Calendar & Tracker with over 10 million downloads, fitness apps like MyFitnessPal, social networking sites like Tumblr, Yahoo Mail client, Microsoft Office 365 apps, and flight tracker Flightradar24. This list also includes prayer apps for Muslims and Bible apps for Christians, various pregnancy management apps, and many VPN apps. Some users ironically download these apps to protect their privacy.

You can find a complete list created by someone here.

Good News for iPhone Users?

The first sign of good news for iPhone users is now evident.

Baptiste Robert, CEO of digital security company Predicta Lab, said on TechCrunch that "if you reject an app's request to track you, it says 'your data is not being shared with the app.'"

Robert refers to the "Track App" permission pop-up built into iOS.

In a post by X, Robert encourages users. He suggests navigating to Settings > Privacy & Security > Tracking and disabling apps that have tracking permissions. The screen also shows whether previous tracking permissions were granted or not.

Apple has not yet made an official statement. However, if Robert is correct, the number of iPhone users affected by the Gravy Analytics leak should significantly decrease.

"I will update with more information about important developments regarding Gravy Analytics' vulnerabilities as more details become available."

Best iPhone Accessories

• Anker 100W Charging Block for Fast Charging
• "6.6-foot USB-C Cable"
• AirPods Pro 2 (currently $179, originally $249)
• iPhone MagSafe Car Mount
• HomeKit Smart Plugs Pack of 4