{"id":28596,"date":"2025-02-18T17:13:07","date_gmt":"2025-02-18T11:43:07","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/?p=28596"},"modified":"2025-02-18T17:13:07","modified_gmt":"2025-02-18T11:43:07","slug":"geolocation-data-broker-leak","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/geolocation-data-broker-leak\/28596\/","title":{"rendered":"Geolocation data brokers: What they do and what happens when they leak"},"content":{"rendered":"

Our smartphones and other devices collect and then transmit massive amounts of data about us to dozens, maybe hundreds, of third-party companies every single day. This includes our location information, and the market for such information is huge. Naturally enough, the buying and selling goes on without our knowledge, creating obscure risks to our privacy.<\/p>\n

The recent hack<\/a> of location data broker Gravy Analytics clearly illustrates the potential pitfalls of such practices. This post analyzes how data brokers operate, and what can happen if the information they collect leaks. We also give tips on what you can do to protect your location data.<\/p>\n

What location data brokers are<\/h2>\n

Data brokers are companies that collect, process, and sell information about users. They get this information from mobile apps, online ad networks, online analytics systems, telecom operators, and a host of other sources from smart-home devices to cars<\/a>.<\/p>\n

In theory, this data is only collected for analytics and targeted advertising. In practice, however, there are often no restrictions on usage, and seemingly anyone can buy it. So, out there in the real world, your data can be used for pretty much any purpose. For example, an investigation last year revealed that commercial data brokers \u2014 directly or through intermediaries \u2014 may even serve government intelligence agencies<\/a>.<\/p>\n

Data brokers collect all kinds of user information, of which one of the most important and sensitive categories is location data. It\u2019s so in demand, in fact, that besides more generalized data brokers, firms exist that focus on it specifically.<\/p>\n

Those are the location-data brokers \u2014 organizations that specialize in collecting and selling information about user location. One of the major players in this segment is U.S. location tracking firm Gravy Analytics, which merged<\/a> with Norway\u2019s Unacast in 2023.<\/p>\n

The Gravy Analytics data leak<\/h2>\n

In January 2025, news broke of a data leak at Gravy Analytics. At first it was confined to unofficial reports<\/a> based on a post that appeared on a private Russian-language hacker forum. The poster claimed to have hacked Gravy Analytics and stolen the location data of millions of users, providing screenshots of the data trove as proof.<\/p>\n

It wasn\u2019t long before official confirmation<\/a> came through. Under Norwegian law, Gravy Analytics\u2019 parent, Unacast, was legally required to notify the national regulator.<\/p>\n

The company\u2019s statement<\/a> reported that on January 4, an unauthorized individual gained access to Gravy Analytics\u2019 AWS cloud storage environment \u201cthrough a misappropriated access key\u201d. The intruder \u201cobtained certain files, which could contain personal data\u201d.<\/p>\n

Analysis of the data Gravy Analytics leaked<\/h2>\n

Unacast and Gravy Analytics were in no hurry to specify what data could have been compromised. However, within a few days, an independent security researcher published their own in-depth analysis<\/a> of the leaked information based on a sample of the stolen data they\u2019d been able to obtain.<\/p>\n

\"User<\/a>

The Gravy Analytics leak included the location data of users worldwide. Source<\/a><\/p><\/div>\n

It turned out that the Gravy Analytics hack did indeed leak a gigantic set of location data of users worldwide \u2014 from Russia to the United States. The fragment analyzed by the researcher was 1.4GB in size, and consisted of around 30 million records \u2014 mostly collected in the first days of January 2025. Meanwhile, the hacker claimed the stolen database is 10TB, meaning it could potentially contain over 200 billion records!<\/p>\n

This data was collected by mobile apps and acquired by Gravy Analytics to be aggregated and subsequently sold to clients. As the analysis of the leak showed, the list of apps used to collect location data runs into the thousands. For example, the sample studied contained data collected from 3455 Android apps<\/a> \u2014 including dating apps.<\/p>\n

\"UK-based<\/a>

UK-based Tinder users\u2019 location data is an example of what can be found in the data leaked from Gravy Analytics. Source<\/a><\/p><\/div>\n

Tracking and deanonymizing users with the Gravy Analytics\u2019 leak data<\/h2>\n

What\u2019s most unpleasant about the Gravy Analytics hack is that the leaked database is linked to advertising IDs: IDFA for iOS and AAID for Android<\/a> devices. In many cases, this makes it possible to track users\u2019 movements over time. Here, for instance, is a map of such movements in the vicinity of the White House in Washington, D.C. (remember that this visualization uses only a small sample of the stolen data; the full database contains a lot more):<\/p>\n

\"Tracking<\/a>

Data in the Gravy Analytics leak linked to advertising IDs can be used to track users\u2019 movements over time. Source<\/a><\/p><\/div>\n

Worse yet, some data can be deanonymized. For example, the researcher was able to track the movements of a user who visited the Blue Origin launch pad:<\/p>\n

\"First<\/a>

An example of user deanonymization using location data leaked from Gravy Analytics. Source<\/a><\/p><\/div>\n

Another example: the researcher was able to track a user\u2019s movements from the Columbus Circle landmark in Manhattan, New York City, to his home in Tennessee, and then to his parents\u2019 house the next day. Based solely on OSINT data, the researcher learned a great deal about this individual, including their mother\u2019s name and the fact that their late father was a U.S. Air Force veteran.<\/p>\n

\"Second<\/a>

Another example of user deanonymization using location data leaked from Gravy Analytics. Source<\/a><\/p><\/div>\n

The Gravy Analytics data breach demonstrates the serious risks associated with the data broker industry, and location data brokers in particular. As a result of the hack, a huge volume of user location records collected by mobile apps spilled out into the public domain.<\/p>\n

This data makes it possible to track the movements of a great many people with fairly high accuracy. And even though the leaked database doesn\u2019t contain direct personal identifiers such as first and last names, ID numbers, addresses, or phone numbers, the linkage to advertising IDs can in many cases lead to deanonymization. So, based on various quasi-identifiers, it\u2019s possible to establish a user\u2019s identity, find out where they live and work, as well as trace their social connections.<\/p>\n

How to protect your location data?<\/h2>\n

Unfortunately, collecting user location data is now such a widespread practice that there\u2019s no easy answer to this question. Alas, there\u2019s no switch you can simply flick to stop all the internet companies worldwide harvesting your data.<\/p>\n

That said, you can at least minimize the amount of information about your location that falls into the hands of data brokers. Here\u2019s how:<\/p>\n