A major data broker hack may have leaked precise location info for millions

Last week, leading location data broker Gravy Analytics disclosed a data breach which could have resulted in the theft of accurate location data for millions of people, reports TechCrunch. That seems to include data from popular mobile games like Candy Crushas well as Dating Apps, Pregnancy Tracking Apps, and more, such as 404 Average he wrote Thursday, following his report of the violation two days before.

Baptiste Robert, CEO of digital security company Predicta Lab, said in a Wednesday post series that the small sample data set posted on a Russian forum contained data for “tens of millions of data points worldwide” and included “Sensitive places like the White House, the Kremlin, the Vatican, military bases, and more.” As TechCrunch notesthe exhibition alone contains more than 30 million places.

Gravy said in his disclosure to the Norwegian Data Protection Authority that it “identified unauthorized access to its AWS cloud storage environment” on January 4. It says in the disclosure that it is still investigating how long the hackers had access to its cloud environment and whether the hack “constitutes a reportable personal data breach.” Regarding what or who was affected, the company writes:

Gravy Analytics is working diligently to determine the scope of the incident and the nature of the information involved. Preliminary results indicate that an unauthorized person obtained some files, which may contain personal data. These are currently under analysis. If it is determined that personal data is involved, that personal data will likely be associated with users of third-party services that provide that data to Gravy Analytics.

Gravy Analytics was one of the two data brokers targeted last month in a proposed FTC order prohibiting them from “selling, disclosing, or using sensitive location data in any product or service.” The FTC at the time wrote that its subsidiary, Venntel, was collecting data from applications and selling access to that data to companies or government agencies, including the IRS, DEA, FBI and ICE.