A massive breach could affect the data of millions of users from Vinted, Spotify, Candy Crush, Tinder, MyFitnessPal, and thousands more apps
Millions of users worldwide, including those of popular apps like Vinted, Spotify, Candy Crush, and Tinder, may have had their sensitive location data stolen in a recent data breach.
A hacker, using the alias “Nightly,” posted details of the breach on a Russian-language forum frequented by cybercriminals. The stolen data reportedly originates from Gravy Analytics (GA), a US-based company that brokers location data for numerous apps.
Experts estimate that around 20 million people in the UK alone could be affected, though the exact number of impacted users remains unclear. Cybersecurity professionals warn that the leaked data, including GPS locations and IP addresses, could enable scammers to blackmail or target individuals with advanced social engineering schemes.
The breach is being treated as a major international incident, with the hacker claiming to have accessed 17 terabytes of data. A 1.4GB sample containing millions of records has already been leaked on the dark web, showcasing precise user movements and detailed histories. Analysts confirm the sample’s authenticity, raising concerns about the broader implications of the stolen data.
Gravy Analytics specializes in gathering and selling location data collected from mobile apps. Often, users unknowingly agree to data-sharing terms when using these apps. This data is then sold to entities ranging from hedge funds and advertisers to government agencies like the Department of Homeland Security.
While GA’s services have been criticized in the past, this breach exposes the larger risks of the data brokerage industry. The US Federal Trade Commission (FTC) has already filed complaints against GA for tracking users’ visits to sensitive locations without proper consent. This breach underscores the ongoing issues with the collection and sale of location data.
Several app companies whose users may be affected have issued statements. Vinted, a popular secondhand clothing marketplace, said they have no direct partnership with GA but are investigating any potential indirect impact.
Tinder also denied having a direct relationship with GA, emphasizing their commitment to user safety. Spotify claimed that no user data from their platform was involved in the breach.
The stolen data could reveal much more than daily habits, potentially identifying individuals targeted by law enforcement or government agencies. Experts warn that criminals could exploit this information for fraud, identity theft, or even blackmail. Alan Woodward, a cybersecurity professor, highlighted that stolen location data could easily be used to scam people by mimicking their recent activities.
The breach adds to a growing list of incidents involving data brokers. Earlier this year, another leak exposed sensitive information, including Social Security numbers, affecting hundreds of millions of people.
The Gravy Analytics breach, however, focuses on location data, which experts argue is just as sensitive due to its potential to compromise personal privacy.
The hack has reignited calls for stricter regulations on data brokers, particularly regarding the sale of health and location data. Critics argue that the industry’s practices leave individuals vulnerable to exploitation.
The US Federal Trade Commission recently expressed concern that technology like GA’s could facilitate stalking, blackmail, or espionage.
For now, Gravy Analytics has not issued an official statement. Their website remains offline, and attempts to contact them have been unsuccessful. Meanwhile, cybersecurity experts continue to assess the scale and potential impact of the breach.