Gravy Analytics has amassed an enormous trove of individuals’s mobile locations, making it a potentially attractive goal for hackers.
getty
OOn Sunday, a hacker claimed he stole terabytes of information from Gravy Analytics, one in every of the world’s largest brokers of location data collected by widely used mobile apps corresponding to games and dating apps. The hacker, who posted just over a gigabyte of the information as alleged evidence on a well-liked cybercriminal forum, threatened to leak more data if the corporate didn’t respond. On Friday, the hacker’s post was removed – a sign that Gravy had cooperated.
If the hacker’s claims are legitimate, it might indicate a catastrophic breach that exposed the situation information of thousands and thousands of individuals. “There is significant concern about the scale of this breach,” said Alex Holden, a cybersecurity researcher and founding father of Hold Security, who reviewed the information released by the hacker. “By examining the exposed data, it is possible to perform correlations based on timestamps, IP addresses and browser user agents to link geolocations to individuals.” Holden said the disappearance of the hacker post suggests that they’ve reached an agreement with Gravy to stop the disclosure of further data.
According to the now-deleted data snapshot, a Gravy customer is an app for the LGBTQ community. The data appeared to supply precise locations of the app’s thousands and thousands of users, including as much as 200 within the United Arab Emirates, where homosexuality is unlawful punished with imprisonment. Forbes is just not naming the app since it fears it could further endanger users, and has not responded to inquiries about whether or not its users’ data was sent to Gravy.
“I keep thinking about how some threat actors, including state-sponsored threat actors, have been able to obtain this type of data by legitimately purchasing access.”
The company, now generally known as Unacast after a merger last 12 months, didn’t reply to requests for comment. Gravy and its competitors provide location data and analytics services to all sorts of shoppers, whether or not they are retailers seeking to track customer traffic or law enforcement agencies seeking to track the situation of people or groups of individuals. The suspected hack was first reported by 404 media.
Holden and other researchers warned that while the hacker disclosed a few of the full data they allegedly collected, it was still unclear how much legitimate Gravy information they’d. The hacker didn’t disclose how he obtained the information.
However, Forbes was in a position to confirm that the data about them contained within the database was correct and that they either are or were a Gravy customer for 3 people named in a “user” file. Meanwhile, Gravy’s website is currently unavailable, as is its application programming interface (API), software that enables customers to access the corporate’s data.
Holden noted that the hacker, generally known as “Nightly,” had built a repute in underground hacking circles as a kind of salesman who offered access to hacked corporate servers that were compromised by others. They now claim to be hurting businesses themselves, Holden said.
Grindr, one other dating app for the LGBTQ+ community, was also listed as a dating app within the leaked data, although the corporate said this was an incorrect description. Holden told Forbes There were hundreds of entries for Grindr user coordinates, all in countries where homosexuality was legal, corresponding to the United Kingdom and Argentina. And in response to a LinkedIn post from Alon Gal, co-founder and CTO of cybersecurity company Hudson Rock, a screenshot of the leak appeared to point out Grindr location information (Gal declined to comment). Grindr told ForbesHowever, that there was never a business relationship with Gravy. The company stopped sharing location data with all partners years ago.
User locations could have entered the Gravy databases through other means. As Gal wrote on LinkedIn, “Apps like Grindr may share user data with data aggregators or brokers, who in turn share it with companies like Gravy Analytics.” Grindr said it doesn’t share data with data aggregators or brokers.
Location data firms like Gravy also can buy data from other brokers that collect location information from various industry sources, which privacy advocates deride as a tangled web of firms trading in people’s private data without much oversight.
Grindr is currently being sued within the United Kingdom as a part of a category motion lawsuit alleging that the corporate sold users’ location data and HIV status to numerous marketing partners until a minimum of 2020. Kelly Miranda, Grindr’s chief privacy officer, confirmed that the corporate “previously included location information in ad requests through early 2020.” As for the opposite claims within the UK case, Miranda said they were “based on a fundamental mischaracterization of practices from five years ago , prior to early 2020,” adding, “Grindr has never sold or shared user-reported health information, including HIV status,” for promotional purposes.”
Location data is a controversial business. Last month, the Federal Trade Commission (FTC) announced It planned to take motion against Gravy and its sister company Venntel “for unlawfully tracking and selling sensitive user location data, including selling data about consumer visits to health care sites and places of worship.” The FTC proposed banning each firms from selling or sharing location data “except in limited cases involving national security or law enforcement,” but has not yet finalized the consent order.
Although the hacker who claims to have access to Gravy’s information could also be exposing a considerable amount of sensitive data, it was likely already on the market. “While this is concerning enough as a possible full disclosure of stolen data,” Holden added, “I continue to think about how some threat actors, including state-sponsored threat actors, have been able to obtain this type of data, by legitimately purchasing access to “Gravy Analytics Data.”
