We all know that apps collect our data, but what do companies do with that data? Some sell it, some use it for targeted advertising, some use it to help you connect with other users nearby, and there are countless other ways it can be used too. In a nightmare scenario, a firm that collects that data from thousands of apps has been hacked, with the hackers threatening to release all of the data publicly. This data includes customer lists, information about the industry, and historical location information collected from smartphones.

As reported by 404Media, the hackers wrote that "personal data of millions users is affected", while also saying that Gravy Analytics has 24 hours to respond or they will begin to release the data. Venntel, a child company of Gravy Analytics, has previously sold data to the U.S. government, which has been used as a part of immigration operations on the U.S. border.

Thousands of apps collected location data that found its way to Gravy Analytics

Chances are, you have at least one of these

As published by Wired, there are thousands of apps that collected this data. Wired published a list of thousands of apps across Android and iOS that collected this data, and some notable ones include:

Candy Crush

Tinder

Grindr

Microsoft Outlook

My Period Calendar.& Tracker

MyFitnessPal

MyAnimeList

Goat Simulator

Bloons TD Battles

At present, it's unclear whether all of the data was sourced by Gravy themselves, or whether the company purchased some of it from other data collectors in the space. While it's not clear when exactly the data was collected, Call of Duty Mobile: Season 5 is on the list, and Season 5 started in May 2024.

The data itself seems to have been collected through real-time bidding. Those in the industry who can place real-time bids for advertising can see devices and IP addresses, and app publishers wouldn't necessarily be aware of the companies that are placing advertisements in their apps.

“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals is haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high risk individuals and organizations,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push told 404 Media. “This may be the first major breach of a bulk location data provider, but it won't be the last.”

Edwards also told 404 Media "For years, this data has been sold to corporate and government interests but it's never been widely available to all the threat actors targeting Western users. This type of data has been used to track visits to abortion clinics, sensitive government locations, and locations which could identify sensitive protected qualities of people like their sexual orientation."

Some of this data doesn't appear to be collected from precise location data either and is instead collected from coarse location data obtained by IP addresses. However, apps that request precise location permissions could have seen those permissions hijacked. Krzysztof Franaszek, founder of Adalytics, a digital forensics firm, told 404 Media that some of the user agents (which identify how the device connected to the service) reference "afma-sdk", the Google Mobile Ads SDK.

Multiple companies including Tinder and Grindr denied knowledge of any relationship with Gravy Analytics, stating that they did not have any evidence that the data was collected through their apps.