Data Broker Hack Exposes Location Info From Millions of iPhone Users

[MacRumors]

Data broker Gravy Analytics has been hacked, and location information from millions of iPhone and Android users is at risk, reports TechCrunch. Gravy Analytics' parent company Unacast disclosed the data breach earlier this month [PDF], and said that its AWS cloud storage environment had been accessed by an unauthorized person using a "misappropriated access key."

"Some files" were obtained, and preliminary findings suggest those files "could contain personal data" collected from users of third-party services that use Gravy Analytics. According to 404Media, hackers are claiming to have customer lists and location data from smartphones that shows peoples' precise movements, with millions of users affected. Some of that data, which does indeed include the historical location of smartphones, has been published on private forums.

Gravy Analytics says that it tracks more than a billion devices around the world daily, and security researchers that saw a sample of the data collected by Gravy Analytics confirmed that the information can be used to track a person's recent locations, with no anonymization.

In December, the United States Federal Trade Commission (FTC) prohibited Gravy Analytics and its subsidiary Venntel from selling, disclosing, or using sensitive location data in any product or service. The FTC warned that the two companies exposed consumers to privacy harms that could include disclosure of health information, political activity, and religious practices, and put people at risk of stigma, discrimination, violence and other harms.

The order required Gravy Analytics to delete all historic location data and any data products developed using data collected from consumers, but it was apparently too late because the company's systems had likely already been breached at the time.

Gravy Analytics collects location data through a real-time ad bidding process that allows companies competing to buy an ad to see customer IP address and more precise location data if enabled. Gravy Analytics' database had location data from iPhone apps that include FlightRadar, Grindr, and Tinder, and while the apps did not have a direct relationship with the data broker, user location information was collected through their ads.

Turning off app tracking in the Privacy and Security section of the iPhone's Settings app keeps ads from being able to obtain a unique device identifier to link location data to a specific device, and preventing apps from using precise location data is also a way to preserve more privacy.

Baptiste Robert, CEO of security firm Predicta Lab, told TechCrunch that iPhone users that had app tracking disabled did not have their data shared.

Article Link: Data Broker Hack Exposes Location Info From Millions of iPhone Users

 

[Razorpit]

In other words, ads are far more of a nuisance than we ever imagined possible.

 

[firstcitazen]

is this blocked by default in the EU? Are these issues US only?

 

[john123]

I feel like this story ignores the larger point.

Gravy is far from the only player in this market. Who you are and where you’ve been is data that’s collected, harvested, and used all the time.

A hack means that more people have access to that data who shouldn’t. Yeah, that’s not good. But there are thousands of companies that have some of this data on you because they collected it — or paid for it — “legally.” That should be disconcerting for many people.

 

[oneMadRssn]

Turning off app tracking in the Privacy and Security section of the iPhone's Settings app keeps ads from being able to obtain a unique device identifier to link location data to a specific device, and preventing apps from using precise location data is also a way to preserve more privacy.

I also highly recommend people get an ad and tracker blocking DNS set up to further block such things on all devices and websites. The easiest is NextDNS, which is the best $20/year I spend probably. Other more complex solutions are PiHole or AdGuard Home.

 

[DblHelix]

So another data processor playing fast and loose with data. Are they not rotating keys. Are they not distributing them in a secure mechanism? What gives this happens far too often.

 

[MVMNT]

They've also informed the UK's ICO, if that's any indicator of how widespread this might be.

Welp.

 

[DblHelix]

is this blocked by default in the EU? Are these issues US only?

This is never a us only issue. If they provide consent at point of collection and you opt in they collect this from you. We only send data if consent has been provided which is only about 60% for us in the eu. Also with data portability regulations this data could be getting sent to the us.

 

[Slippery Gimp]

They’ll be able to tell where my bathroom is, FFS.

 

[ericthered926]

Seconding this, and it’s not too hard to set up!

I also highly recommend people get an ad and tracker blocking DNS set up to further block such things on all devices and websites. The easiest is NextDNS, which is the best $20/year I spend probably. Other more complex solutions are PiHole or AdGuard Home.

I highly recommend AdGuard home in addition to using adblocking browser extensions. You can set up AdGuard home and combine it with tailscale to get dns level blocking on just about any device no matter where you are. I get whiplash any time I use somebody else’s device, I don’t see ads anymore!

 

[DblHelix]

is this blocked by default in the EU? Are these issues US only?

And I should say if they have configured correctly it should be blocked by default. You need active opt in to be legal in the eea

 

[grantishere]

Lawsuit incoming with my $0.01 check... in 10 years

 

[rp2011]

It's only a matter of time until personal data collection becomes illegal to collect. It has been shown time and again that none of them can protect the user and, on the contrary, do a lot of harm.

 

[kalsta]

Gravy Analytics says that it tracks more than a billion devices around the world daily

And proud of it by the sounds. Make them parade around the village square while us commoners hurl rotten vegetables and night soil at them! 😠

 

[ericthered926]

It's only a matter of time until personal data collection becomes illegal to collect. It has been shown time and again that none of them can protect the user and, on the contrary, do a lot of harm.

Maybe in the EU, I just don’t see it happening in the US - too many free online services depend on that data and they’ll do anything to keep getting it.

 

[MedRed]

Need an option to easily prevent all data brokers from acquiring your information. Also need to be able to have them delete whatever information they currently have on you.

 

[iLondoner]

My iPhone is not allowing app tracking

Go to Settings > Privacy & Security > Tracking. The list shows the apps that requested permission to track you. You can turn permission on or off for any app on the list. To stop all apps from asking permission to track you, turn off Allow Apps to Request to Track (at the top of the screen).

See https://support.apple.com/en-gb/guide/iphone/iph4f4cbd242/ios

 

[DrPeril]

> apps that include FlightRadar, Grindr, and Tinder

Ok... what about a complete list of Apps so people can at least gain some idea of their level of exposure...

 

[jz0309]

Gravy Analytics collects location data through a real-time ad bidding process that allows companies competing to buy an ad to see customer IP address and more precise location data if enabled.

this is disgusting, ad industry adds no value ...

In December, the United States Federal Trade Commission (FTC) prohibited Gravy Analytics and its subsidiary Venntel from selling, disclosing, or using sensitive location data in any product or service. The FTC warned that the two companies exposed consumers to privacy harms that could include disclosure of health information, political activity, and religious practices, and put people at risk of stigma, discrimination, violence and other harms.

next step: shut those companies down and fine the exec staff $$$$$

 

[dotnet]

"<App XYZ> would like to access ..."

"Hell no!"

 

[jctevere]

At this point I think I’ve accrued over a decade’s worth of credit monitoring from all the data breaches and leaks I’ve been subject to. 😅😂

 

[DblHelix]

Lawsuit incoming with my $0.01 check... in 10 years

You could sue may get something. We had a subdomain misconfigurrd a few years back and a single person got around $100k settlement.

It's only a matter of time until personal data collection becomes illegal to collect. It has been shown time and again that none of them can protect the user and, on the contrary, do a lot of harm.

as someone in advertising I wish it would. Let us get back to awareness and branding and all measurement in the same way instead of a bunch of overlapping techniques

 

[contacos]

Apple should let us block all these "spyware" SDKs if they trulycared about privacy. CleverTap is another one of those. You can hardly get an app that isn't full of one of these

 

[DestructoTim]

"The order required Gravy Analytics to delete all historic location data and any data products developed using data collected from consumers, but it was apparently too late because the company's systems had likely already been breached at the time."

So we know who hacked in then.. the NSA.

 

[DestructoTim]

Apple should let us block all these "spyware" SDKs if they trulycared about privacy. CleverTap is another one of those. You can hardly get an app that isn't full of one of these

"Baptiste Robert, CEO of security firm Predicta Lab, told TechCrunch that iPhone users that had app tracking disabled did not have their data shared."