On Sunday, a hacker claimed they’d stolen terabytes of data from Gravy Analytics, one of the world’s biggest brokers of location data collected from widely used mobile apps like games and dating apps. The hacker, who released just over a gigabyte of the data as alleged proof on a popular cybercriminal forum, threatened to share more if the company didn’t respond. By Friday, the hacker’s post had been removed — an indication Gravy had cooperated.
If the hacker’s claims are legitimate, it would indicate a catastrophic breach, exposing the location information of millions of people. “There is a significant concern over the magnitude of this breach,” said Alex Holden, a cybersecurity researcher and founder of Hold Security, who reviewed the data the hacker released. “Examining the disclosed data, it is possible to run correlations based on timestamps, IP addresses, and browser user agents to connect geolocations to individuals.” Holden said that the disappearance of the hacker’s post suggested they had come to a deal with Gravy to avoid further data disclosures.
According to the now-deleted data snapshot, one Gravy customer is an app for the LGBTQ community. The data appeared to provide pinpoint locations of the app’s millions of users, including as many as 200 based in the U.A.E., where homosexuality is illegal and punishable by imprisonment. Forbes is not naming the app over concerns it could further endanger users, and it had not responded to requests to confirm or deny whether its users’ data had been sent to Gravy.
The company, which is now known as Unacast following a merger last year, did not respond to requests for comment. Gravy and its competitors offer location data alongside analysis services to all manner of customers, whether that’s retailers trying to determine footfall, or law enforcement agencies trying to determine the whereabouts of individuals or groups of people. The alleged hack was first reported by 404 Media.
Holden and other researchers cautioned that though the hacker released a portion of the total data they claimed to have acquired, it was still unclear just how much legitimate Gravy information they had. The hacker did not disclose how they obtained the data.
However, Forbes was able to verify with three individuals who had been named in a “users” file that the information related to them in the database was accurate and that they either are or were a Gravy customer. Meanwhile, the Gravy website is currently down, as is its application programming interface (API), software allowing its customers to connect to its data.
Holden noted the hacker, known as “nightly,” had built a reputation in underground hacker circles as a kind of sales person, offering access to hacked company servers compromised by others. They were now claiming to be breaching companies themselves, Holden said.
Grindr, another dating app aimed at the LGBTQ+ community, was also listed as a partner app in the leaked data, though the company said that was a false description. Holden told Forbes there were thousands of entries for Grindr user coordinates, all in countries where homosexuality was legal, such as the U.K. and Argentina. And according to a LinkedIn post from Alon Gal, cofounder and CTO at cybersecurity company Hudson Rock, a screenshot from the leak appeared to show Grindr location information (Gal declined to comment). Grindr told Forbes, however, that it never had a business relationship with Gravy. The company ceased sharing location data with all partners years ago.
User locations could have found their way into Gravy databases through other means. As Gal wrote on LinkedIn, “Apps like Grindr might be sharing user data with data aggregators or brokers, who in turn share it with companies like Gravy Analytics.” Grindr said that it does not share data with data aggregators or brokers.
Location data companies like Gravy can also buy data from other brokers that harvest location information from various sources in the industry, derided by privacy advocates as a convoluted web of entities trading people’s private details with little oversight.
Grindr is currently being sued in the U.K. as part of a class action where it’s alleged the company sold users’ location data and HIV status to various marketing partners up until at least 2020. Grindr’s chief privacy officer Kelly Miranda confirmed that the company “previously included location information in ad requests up to early 2020.” On the other claims in the U.K. case, Miranda said they were “based on a fundamental mischaracterization of practices from five years ago, prior to early 2020,” adding, “Grindr has never sold or shared user-reported health information, including HIV status, for advertising purposes.”
Location data is a controversial business. Last month, the Federal Trade Commission (FTC) announced it was planning to take action against Gravy and its sister company Venntel “for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.” The FTC proposed prohibiting both entities from selling or sharing location data “except in limited circumstances involving national security or law enforcement,” but has not finalized the consent order.
Though the hacker claiming to have access to Gravy’s information could be exposing a huge tranche of sensitive data, it was likely already for sale. “While this is concerning enough as a possible full disclosure of stolen data,” Holden added, “I keep thinking of how some threat actors, including nation-state backed threat actors, were able to obtain this type of data by legitimately purchasing access to Gravy Analytics data.”
MORE ON FORBES
Read the full article here
