The privacy of millions of people around the world is at risk after a massive data location broker is hacked

The privacy of millions of people around the world is at risk following an attack on a massive data location broker.

404 Media first reported news of a possible data breach against Gravy Analytics on January 7, 2025, after a hacker threatened to publicly post the stolen data on a forum.

Venntel’s parent company, Gravy Analytics, is an American data location broker that stores data on millions of iPhone and Android users worldwide. The hacker claimed that the compromised information contained location data of smartphone users that could show people’s precise movements.

The Gravy Analytics hack is the latest reminder of the dangers associated with the data broker industry. It also sheds new light on the need to minimize the information you share online as much as possible.

Gravy Analytics Hack

“This is not the typical data breach, it is a threat to national security,” Baptiste Robert, the CEO of digital security firm Predicta Lab, wrote in an long X wire after previewing the leaked dataset.

The total sample size is 1.4 GB and covers more than 30 million compromised locations worldwide. These include devices located in highly sensitive places such as the White House in Washington, the Kremlin in Moscow, Vatican City and some military bases around the world.

The data locations of regular users of popular apps also appear to have been leaked. These include the dating app Tinder, music player Spotify and even the beloved mobile game Candy Crush.

And this is just a sample of what we know so far. “Based on the hacker’s claim of having 10 TB of history, the entire data set would likely contain approximately 217,494,792,857 locations,” Robert wrote.

The Gravy Analytics hack is a stark reminder that your mobile apps are actively sharing your sensitive information, like in this case your data location, with data brokers to make a profit.

Even Europeans, where stricter data protection laws such as the GDPR are in place, do not seem to be exempt from this threat.

For example, so does Norway-based company Unacast, the parent company of Gravy Analytics confirmed the violation which affected more than 146,000 pieces of information on Norwegian mobile devices. On January 4, 2025, the company disclosed the details of the breach to the country’s data protection authorities to initiate an investigation, as required by law.

According to Šarūnas Sereika, Senior Product Manager at VPN provider Surfshark, the Gravy Analytics breach “underlines the critical importance of protecting personal location data.”

How to protect your online data

In his by data protection legislation.

On Android, go to Settings, Privacy, Advertising and tap Remove Advertising ID. If you are an iPhone user, go to Settings, Privacy & Security, Tracking and tap Allow apps to request tracking.

“For privacy, turn off location and Wi-Fi when not necessary to avoid being tracked. If an app is showing ads, remove it. It’s likely sharing your location with third parties,” he added.

As Surfshark’s Sereika explains, the many affected apps — including Tinder, Spotify, and Citymapper — “were compromised without users’ explicit consent, exposing precise location data and timestamps and allowing detailed tracking of users’ movements.”

Therefore, it is crucial to check all your mobile applications and disable all permissions, such as sharing location data, when they are not needed for the service to work properly.

I also recommend connecting to one of the best VPN services every time you connect to the internet, especially if you use public Wi-Fi. A virtual private network (VPN) is essentially software that encrypts all your internet connections while masking your real IP address location.

Finally, you may want to consider using a data deletion service like Incognit to help you exercise your right to be forgotten and request data brokers to delete any data they have about you.