I’ve been an iPhone user for a long time, and I’m very mindful of who I share my location with or what apps and services get access to location data. I block apps from tracking me, and I do not share location access unless I have to. Even then, I ensure that location access is temporary or set to “while using” the app in question.
These habits and protections mean I’m at ease hearing that a location data broker suffered a major data breach and that hackers are in possession of location data that could identify people and their movements. I hardly share any location data, so what could they have on me?
It turns out that even without sharing location data, ads from certain apps might be responsible for sharing location data with data brokers. This happens regardless of my preferences and without the explicit knowledge of said apps. In such a case, some location data could always make it to the databases of firms like Gravy Analytics.
This is the name of the location data broker that was recently hacked. Gravy Analytics confirmed the attack and data breach. Hackers have posted location samples from the breach, and experts say that over 30 million data points may have been leaked in the hack. That’s only a sample of a much bigger file.
The good news is that it’s not too late to protect yourself against future location-related data breaches. The bad news is that if you’ve been lax about location sharing with apps and services, some of your data might be in the hands of hackers.
According to TechCrunch, the location data comes from all sorts of mobile apps available on iPhone and Android. Fitness and health, dating, transit apps, and games may have provided Gravy Analytics location data that hackers then stole.
The data leaked online last weekend after hackers posted a sample on a forum in Russia. It covers the historical location data of millions of smartphones, which could be used to track users.
While Gravy Analytics and parent company Unacast acknowledged the location data hack, little is known about it. The attack is under investigation.
Separately, data protection agencies in Norway and the UK are also conducting their own inquiries into the matter.
Predicta Lab CEO Baptiste Robert obtained a copy of the information. Predicta Lab is a digital security firm that has the tools to inspect such data.
Robert said the dataset contained more than 30 million location data points from just a 1.4GB sample. The hackers claim they have 10TB of location history, which could amount to 217 billion data points.
The sample include data from smartphones used at the White House, the Kremlin in Moscow, Vatican City, and military bases worldwide. He also shared a map showing location data from Tinder users in the UK. The expert also explained that the data can be used to identify military personnel.
What hackers can do with location data
The leaked location data can be used to track people online. For example, he tracked a person traveling from New York to Tennessee. Anyone with access to the data could do the same thing to target specific individuals and discern their day-to-day activities. Malicious individuals could determine when someone is at home or work and how far these places are.
What’s more disturbing in the whole thing is that iPhone and Android users do not fully control access to their location. TechCrunch explains that companies like Gravy Analytics source most of their location data from an ad-related process called real-time bidding.
This auction determines which advertiser gets to show an ad on a device inside an app or website. It’s just a few milliseconds long, but the process is enough to give bidders access to some information about the device, including the type of smartphone and IP addresses. The latter is sufficient to give them an idea of your approximate location. If you also give the app access to your data, they’ll get more precise location information.
The report notes that apps including FlightRadar, Grindr, and Tinder might have inadvertently offered Gravy Analytics location data information through their ads. These companies denied a business deal with the hacked location data broker, but the dataset shows the information came from these apps.
According to 404Media, thousands of apps have been used to collect location data. The list can include games like Candy Crush, fitness apps like MyFitnessPal, pregnancy tracking apps, and religious prayer apps.
Interestingly, the Gravy Analytics location data hack came weeks after the FTC banned the company and its subsidiary Venntel from collecting and selling Americans’ location data without consumer consent. However, that ban isn’t likely to have helped users that much. Gravy Analytics claims they can track more than a billion devices worldwide every day.
What you can do
You should not delete any apps appearing in articles detailing the breach. The location data collection happened mostly without anyone’s consent, whether the user or the app developer.
The most important thing is to stop apps from accessing your location. Go to your iPhone or Android device’s Settings app and inspect which apps have access to your location. Remove access for most of them, or select “While Using” where available.
Whether you’re careful of location sharing like me or not, the good news is other protections also work. Robert told TechCrunch that your data probably hasn’t been shared if you block apps from tracking you on your iPhone. If you let apps track you, it’s time to visit the Settings app, go to Privacy & Security, and then Tracking. In here, you’ll want to turn off the feature completely, or remove tracking access to most apps.
Android users can improve their privacy by visiting the Ads section of the Privacy menu in the Settings app. Delete or reset your advertising ID regularly to reduce the risk of being tracked if and when a similar hack happens.
What you can’t do is remove any location data from the hack that might be related to you.
