Rogue actors within the advertising industry are reportedly exploiting major global apps to collect sensitive user location data on a massive scale. This data is then funneled to a location data firm whose subsidiary has previously sold global tracking information to U.S. law enforcement agencies.
Hacked files from the location data company Gravy Analytics reveal that numerous popular apps are involved in this data collection. These apps span across categories, including games like Candy Crush, dating platforms such as Tinder, pregnancy tracking tools, and religious prayer apps available on both Android and iOS. Since this data gathering occurs through the advertising ecosystem rather than direct app development, users — and even app developers — are likely unaware of these invasive practices.
How the Data Collection Works
Zach Edwards, a senior threat analyst at cybersecurity firm Silent Push, analyzed the data and shared with 404 Media, “For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream,” rather than through embedded app code.
This discovery offers rare insight into the shadowy world of real-time bidding (RTB). Historically, location data providers paid app developers to integrate tracking code that harvested user data. However, many companies now exploit the advertising ecosystem, where firms bid to place ads in apps. Data brokers can tap into this system, silently collecting users' mobile phone locations without consent.
“This is a nightmare scenario for privacy,” Edwards added. “Not only does this data breach involve data scraped from RTB systems, but there’s a company out there acting recklessly, collecting and using every piece of data it encounters.”
The compromised data from Gravy Analytics includes tens of millions of cellphone location points from users in the United States, Russia, and Europe. Some files also list specific apps associated with each data point. Upon reviewing the leaked files, 404 Media identified a wide range of popular apps implicated in this breach, including:
- Dating Apps: Tinder, Grindr
- Mobile Games: Candy Crush, Temple Run, Subway Surfers, Harry Potter: Puzzles & Spells
- Transit App: Moovit
- Health & Fitness: My Period Calendar & Tracker, MyFitnessPal
- Social Media: Tumblr
- Email Services: Yahoo Mail
- Productivity Tools: Microsoft 365
- Travel Apps: Flightradar24
- Religious Apps: Muslim prayer apps, Christian Bible apps
- Privacy Tools: Various VPN apps
Ironically, some users turned to VPN apps to protect their privacy, only to have their location data compromised.
This breach highlights a dangerous loophole in the advertising ecosystem, where sensitive user data can be harvested without clear consent or awareness. The involvement of a company with a history of selling data to government agencies raises serious concerns about surveillance and misuse.
As the digital world grows increasingly interconnected, this incident serves as a stark reminder of the urgent need for stronger data privacy regulations and more transparent data practices.
Can Users Trust Their Apps Anymore?
With popular and widely trusted apps implicated in this data collection scheme, users are left questioning whether their privacy is truly protected. Stronger privacy safeguards and greater accountability in digital advertising are now more critical than ever.
