Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Gravy Analytics. Show all posts
User Privacy
App security Data Breach Gravy Analytics Location data User Privacy

Global Apps Exploited to Harvest Sensitive Location Data

 


Rogue actors within the advertising industry are reportedly exploiting major global apps to collect sensitive user location data on a massive scale. This data is then funneled to a location data firm whose subsidiary has previously sold global tracking information to U.S. law enforcement agencies. 
 
Hacked files from the location data company Gravy Analytics reveal that numerous popular apps are involved in this data collection. These apps span across categories, including games like Candy Crush, dating platforms such as Tinder, pregnancy tracking tools, and religious prayer apps available on both Android and iOS. Since this data gathering occurs through the advertising ecosystem rather than direct app development, users — and even app developers — are likely unaware of these invasive practices. 

How the Data Collection Works 
 
Zach Edwards, a senior threat analyst at cybersecurity firm Silent Push, analyzed the data and shared with 404 Media, “For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream,” rather than through embedded app code. This discovery offers rare insight into the shadowy world of real-time bidding (RTB). Historically, location data providers paid app developers to integrate tracking code that harvested user data. However, many companies now exploit the advertising ecosystem, where firms bid to place ads in apps. Data brokers can tap into this system, silently collecting users' mobile phone locations without consent. “This is a nightmare scenario for privacy,” Edwards added. “Not only does this data breach involve data scraped from RTB systems, but there’s a company out there acting recklessly, collecting and using every piece of data it encounters.” 

The compromised data from Gravy Analytics includes tens of millions of cellphone location points from users in the United States, Russia, and Europe. Some files also list specific apps associated with each data point. Upon reviewing the leaked files, 404 Media identified a wide range of popular apps implicated in this breach, including:
  • Dating Apps: Tinder, Grindr
  • Mobile Games: Candy Crush, Temple Run, Subway Surfers, Harry Potter: Puzzles & Spells
  • Transit App: Moovit
  • Health & Fitness: My Period Calendar & Tracker, MyFitnessPal
  • Social Media: Tumblr
  • Email Services: Yahoo Mail
  • Productivity Tools: Microsoft 365
  • Travel Apps: Flightradar24
  • Religious Apps: Muslim prayer apps, Christian Bible apps
  • Privacy Tools: Various VPN apps
Ironically, some users turned to VPN apps to protect their privacy, only to have their location data compromised. 

This breach highlights a dangerous loophole in the advertising ecosystem, where sensitive user data can be harvested without clear consent or awareness. The involvement of a company with a history of selling data to government agencies raises serious concerns about surveillance and misuse. As the digital world grows increasingly interconnected, this incident serves as a stark reminder of the urgent need for stronger data privacy regulations and more transparent data practices. 

Can Users Trust Their Apps Anymore? 
 
With popular and widely trusted apps implicated in this data collection scheme, users are left questioning whether their privacy is truly protected. Stronger privacy safeguards and greater accountability in digital advertising are now more critical than ever. 
Read more »
Venntel
Cyber Security Data Brokers FTC lawsuit Gravy Analytics location data breach Privacy Concerns U.S. government surveillance Venntel

Gravy Analytics Data Breach Exposes Sensitive Location Data of U.S. Consumers

 



Gravy Analytics, the parent company of data broker Venntel, is facing mounting scrutiny after hackers reportedly infiltrated its systems, accessing an alarming 17 terabytes of sensitive consumer data. This breach includes detailed cellphone behavior and location data of U.S. consumers, sparking serious privacy and security concerns.

FTC Lawsuit Over Privacy Violations

In December, the Federal Trade Commission (FTC) filed a lawsuit against Gravy Analytics, accusing the company of harvesting sensitive location and behavioral data without obtaining proper consumer consent. This legal action highlights the growing concerns over data brokers' unchecked collection and distribution of personal information.

Details of the Breach

The recent hack, first reported by 404 Media, exposed vast troves of data revealing intricate location patterns of U.S. citizens. Key aspects of the breach include:
  • Data Volume: Approximately 17 terabytes of location and behavior data were compromised.
  • Scope of Data: Includes detailed movement patterns collected from smartphones via apps and advertising networks.
  • Potential Impact: Raises severe risks of deanonymization and tracking of high-risk individuals.

Industry-Wide Privacy Concerns

For years, data brokers like Gravy Analytics have collected smartphone location data and sold it to various buyers, including U.S. government agencies such as the Department of Homeland Security (DHS), Internal Revenue Service (IRS), Federal Bureau of Investigation (FBI), and the military. This practice allows agencies to bypass warrant requirements, raising constitutional and ethical concerns.

Cybersecurity expert Zach Edwards, a senior threat analyst at Silent Push, stressed the severity of this breach:

“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals are haunting. If all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high-risk individuals and organizations. This may be the first major breach of a bulk location data provider, but it won’t be the last.”

A Troubled Industry with a History of Breaches

The data broker industry has long been criticized for its lack of regulation, excessive data collection, and weak security measures. Past incidents include:
  • Military and Intelligence Data for Sale: Investigations by Wired exposed how easily U.S. military and intelligence officer movement data could be purchased.
  • Abortion Clinic Data Leak: Brokers sold sensitive location data of abortion clinic visitors to activist groups.
  • Massive Identity Leak: Another broker exposed the social security numbers of 270 million Americans.

Despite these alarming breaches, regulatory action has been limited. The FTC has made efforts to curb these practices, but its authority faces political challenges that could undermine its effectiveness.

Growing Pressure for Regulation

Privacy advocates warn that without meaningful reforms, the data broker industry could soon face a catastrophic scandal surpassing previous breaches. Should such an event occur, policymakers who have neglected privacy concerns may be forced into a reactive stance, scrambling to implement safeguards.

This latest breach involving Gravy Analytics underscores the urgent need for comprehensive data privacy regulations to protect consumers from exploitation and cyber threats.
Read more »
Subscribe to: Posts (Atom)