HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Millions of smartphone users location data stolen in major hack

Written by Abby Grifno | Jan 14, 2025 9:43:24 PM

The attack is estimated to impact hundreds of companies and millions of smartphone users. 

 

What happened

Gravy Analytics, a US location tracking firm, was recently the target of a large cyberattack. It’s estimated that more than 10 terabytes of data were stolen, with victimized companies including Tinder, Spotify, Citymapper and hundreds of others. 

The Russian-speaking hackers shared a sample of stolen data online to confirm it had been taken. Baptiste Robert, a cybersecurity analyst, took a look at the sample and, according to Sky News, was “able to easily identify individuals around military bases and government offices, as well as details about people’s homes and family lives.”

 

Going deeper

Expert Grame Stewart from cybersecurity firm Check Point added that the attack was a “new type…It’s not just your personal details, it’s really quite intimate details about your life and what you’re doing and how you’re doing it.” 

The sample data included precise latitude and longitude coordinates of people’s phones as well as the time the phone was at that location. 

Gravy Analytics, the company that was initially targeted, is known for selling data from thousands of apps around the world. The company collects information through smartphones and then sells it to other companies or the government. 

Some companies involved in the breach deny any involvement with Gravy Analytics. It’s possible that these companies were breached because their apps were downloaded on phones with apps connected to Gravy.  

A Tinder spokesperson, for instance, stated, “Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was  obtained from the Tinder app.” 

 

What’s next

Individuals are advised to turn off their location when it isn’t needed. It’s also recommended that Android users delete their advertising ID and iOS users turn off “Allow Apps to Request to Track” in their privacy settings. 

So far, Gravy Analytics has not discussed the issue and is likely investigating the matter. Massive breaches like these can put pressure on companies to quickly implement stronger security practices and provide reassurance to users. 

 

The big picture

Data breaches like these may be harmless for the majority of individuals but could be part of larger attempts to gather intelligence on prominent people, such as government workers. While many organizations deny involvement with Gravy Analytics, that can make it difficult to determine how the breach was able to spread to so many apps. 

As the investigation continues, impacted companies will likely send notices to customers and outline any next steps that will be taken