Thousands of apps, used by millions of people, are leaking location data thanks to a hack by location data company Gravy Analytics.

One of the world’s most high-profile international data breaches has compromised location data on apps used by an estimated 20 million people in the UK – although how many of those have had their location data stolen? , it is not yet known.

The breach of US location data company Gravy Analytics, which brokers location data for more than 10,000 popular apps, was revealed in early January. Eye paper Exclusively disclosed The long list of affected apps this week includes Vinted, Spotify, Candy Crush and Tinder.

In this illustrative photo taken on January 19, 2023 in Krakow, Poland, Winted on the App Store is displayed on a phone screen and the Winted website is shown on the screen in the background.
The second-hand marketplace, Vinted, is considered one of the apps likely to be affected by the hack (Image: NorPhoto/Getty)

The list is part of a 1.4 GB sample of data that is believed to have been breached from Gravy Analytics by an unknown hacker named “Knightly”, who shared it on the dark web. The complete data set is believed to include 10 million records of the company’s location data, as well as the GPS locations and IP addresses of millions of phones.

The release of compromised data highlights issues that should concern us all. “If you have a smartphone, there is a 100 percent chance that your location has been transmitted to a company like Gravy Analytics at some point,” said Baptiste Robert, a French ethical hacker and CEO of Predicta Lab. Here’s why you should be concerned.

1. It highlights the enormous scale of data collection.

While hacking a data broker like Gravy Analytics is a concern because it could put user data in the hands of bad actors, the fact that this data is being collected on such a large scale is surprising to many. Which can be “These companies are operating legally in countries where they are allowed to,” said Alan Woodward, professor of cyber security at the University of Surrey. “Hackers don’t have to attack you, they attack them.”

The scale of the data the hackers obtained is also indicative of how much information we provide to apps on a daily basis. Location data services have been the industry. Which is worth 21 billion dollars. (£17.1bn).

“This massive breach proves that the currency of data is growing more than ever,” said Jack Moore, a cybersecurity expert at ESET, a software company that specializes in combating malware. “Advertisers and criminals alike are after user information, but worryingly, many users often casually discard it, relegating it to a necessary evil of having online accounts.”

Moore said the most alarming thing about the Gravy Analytics hack is its scale. “The amount of data that is being targeted is another blow to privacy advocates that big companies are trying to rule over people,” he said.

2. It shows how little traceability there is.

While a hack of Gravy Analytics revealed the data, it highlighted just how complex the advertising industry is. Companies like Gravy Analytics collect location data from mobile phones from various sources and then sell it to other companies.

Advertisers and other firms then buy the data collected by the company – meaning apps whose data has been breached won’t know about it until they’re on the affected list. See Tinder denied having a direct relationship with Gravy Analytics, as did Wanted, while Flightradar24 and Muslim Pro, a Muslim prayer app, 404 told the media He had nothing to do with the company.

Michael Weil, associate professor of law at University College London, said: “This is a reminder that there is no excuse for the current practice of advertising by thousands of shadowy companies ranging from foreign governments to law enforcement. Companies sell intimate data like location to buyers.” , who specializes in digital law. “Millions of people’s movements, home and work addresses, now appear to be easily accessible to criminals. It won’t be long before, with the help of AI, they use these locations for fraud, identity theft and social engineering. used to promote scams.”

3. The data involved is highly personal.

“A data breach involving location data is particularly worrisome because it exposes sensitive details about an individual’s movements, and often puts their privacy and security at risk,” Moore said. ” said Moore. “Criminals can use this information for malicious activities.”

Apart from just knowing where a person is located, it is also possible to identify their movements. Sensitive locations can be tracked, including the White House, the Kremlin, and US military bases. Robert of Predicta Lab What is a track? individuals using leaked data to individual hotels, as well Identifying the location of Tinder users in the UK. “Experience shows that we’re all creatures of habit, and things that emerge are hotspots in the history of your location,” Woodward said.

The Spotify logo
Spotify has also been caught up in the Gravy Analytics hack.

While some apps require location data to properly unlock some of the features they provide, others such as Spotify and Vinted do not need to know the specific locations of their users in that country. Apart from the country they are in.

Others may discard information about their users simply by type of app: for example, the presence of an individual’s information on a Tinder-linked data list if they are married may suggest infidelity. is, while other apps in the list may be. Potentially embarrassing if attached to an individual.

4. The number of people affected is very high.

“Even though this is just a sample from a large leak, it’s already significant,” Robert said. “Access to this type of data is extremely rare, especially in such large amounts. Even though the data is ‘anonymous’ it is possible to track individual citizens, anonymize military personnel, and more. The potential implications are enormous. are.”

However, Moore believes that the problem – and the high profile – may have a silver lining. “With some of the biggest apps in the world caught up in this breach, hopefully this could be the straw that breaks the camel’s back in terms of improving data collection,” he said. It is,” he said.



Source link