Skip to content

Gravy Analytics breach exposed sensitive smartphone location data

  • by
  • 3 min read

Hackers have claimed to compromise Gravy Analytics, the parent company of Venntel, known for selling smartphone location data to U.S. government agencies. The attackers allege they have exfiltrated a trove of sensitive data, including detailed customer lists, insights into the location data ecosystem, and precise location records that reveal individuals’ movements. The hackers are now threatening to release the data publicly.

For years, companies like Gravy Analytics have built business models around collecting and monetising smartphone location data. This data is typically harvested through mobile apps or advertising frameworks and sold to clients, including U.S. government entities such as the Department of Homeland Security, the military, the FBI, and the IRS, reports 404Media.

While this data has been used for purposes ranging from immigration enforcement to tax investigations, its accumulation presents an attractive target for cybercriminals.

“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals are haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymisation risks and tracking concerns for high-risk individuals and organisations,” explains cybersecurity researcher Zach Edwards.

This hack can have serious ramifications on the personal life of victims as it can expose sensitive locations.

Hackers have demanded a response from Gravy within 24 hours, threatening to publish the stolen data. Screenshots of the stolen files reveal:

  • Historical smartphone location data, including precise latitude and longitude coordinates and timestamps.
  • Data from various countries, including Mexico, Morocco, the Netherlands, and Russia.
  • Classifications added to data, such as ‘LIKELY_DRIVING.’
  • A ‘users’ file naming major corporations such as Apple, Uber, Comcast, Equifax, and U.S. government contractor Babel Street.

Other leaked information suggests the hackers accessed Gravy’s infrastructure, including root access over Amazon S3 buckets, which store significant amounts of data. Alarmingly, the attackers claim to have maintained access to Gravy’s systems since 2018.

Currently, Gravy Analytics’ website is also down. It is unclear whether this is related to the hack.

This breach raises serious concerns about how sensitive location data is collected, stored, and sold. Edwards noted that this type of data could reveal individuals’ habits, such as where they live, work, or spend leisure time, and could even expose visits to sensitive locations like abortion clinics or government facilities.

In the News: Over 90 Indian government websites are hosting scam links

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>