Skip to content

Gravy Analytics sued for exposing smartphone coordinates

  • by
  • 2 min read

Gravy Analytics has been sued once more for allegedly failing to protect the location data of tens of millions of smartphones, harvested from installed apps and stored on its servers. A complaint has been filed against the company in northern California, and it’s at least the fourth lawsuit the firm has faced since January.

The first lawsuit stemmed from a data breach discovered on January 4, when cybercriminals posted screenshots on XSS, a Russian Cybercrime forum, claiming they had access to 17 TB of records from the firm’s AWS S3 storage buckets. Later, lawsuits were filed in New Jersey on January 14 and 30, and in Virginia on January 31, which also alleged Gravy Analytics of the same.

The latest complaint details that the hacked data includes millions of mobile phone coordinates of devices inside the US, Russia, and Europe. These coordinates were obtained through users of popular mobile apps including Tinder, Grindr, Candy Crush, Subway Surfers, Moovit, My Period Calendar & Tracker, MyFitnessPal, Tumblr, Microsoft’s 365 office application, Yahoo’s email client, religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and even many VPN apps, which are supposed to protect against such data being collected in the first place.

Moving forward, the complaint aims to hold Gravy accountable for the stolen data, adding that it was the firm’s responsibility to protect such sensitive data. It also alleges California’s Unfair Competition Law violations, negligence, and breach of implied contract.

The US still doesn’t have any general federal privacy law. That said, the FTC announced that it banned Gravy Analytics and its subsidiary Venntel from selling sensitive location data in December 2024 under a proposed order to resolve the federal agency’s complaint against the two companies on January 15. Other than that, while Gravy did confirm it suffered a cyberattack on January 4 in a non-compliance report filed with the Norwegian Data Protection Authority, no official word from Gravy about the latest complaint and set of allegations has surfaced yet,

In the News: ChatGPT web search is now open to all; no account required

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

Photo: michael vi / shutterstock. Com

Three ex-employees allege L-1A visa fraud at TCS in US

This is an image of spyware malware cybersecurity privacy featured 31

Threat actors deploy FrigidStealer on Macs via web inject attacks

This is an image of crypto farm

XMRig cryptominer distributed via trojanised game torrents

Photo: sundry photography / shutterstock. Com

Over 100 AWS keys found on public GitHub repositories

This is an image of scam call featured 1

Noida-based call center operation dupes victims of $1.4 million

This is an image of nvidia gpu compared 100

Concerns mount over outdated Nvidia A100 GPUs in India’s AI Mission

  • by
  • In News, AI
>