Data Broker Discloses A Major Breach Of App User Data

Uploaded on 2025-01-20 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A subsidiary of a leading US location data broker, Unacast, has informed the Norwegian national Data Protection Authority, Datatilsynet, that it has been as breached is a severe incident. 

According to reports, the hack might have resulted in the theft of precise location data for millions of smartphone users. 

The subsidiary, named Gravy Analytics, told Datatilsynet that a  hacker accessed its Amazon Web Services (AWS) cloud storage environment. In its incident  report, Datatilsynet says that the breach involved the theft of information from a Gravy Analytics web server using a "misappropriated" key.  

While the breach report contains only a few details of the incident, hackers have claimed on a Russian cyber crime forum to have stolen a vast amount of data.  “The unauthorised person obtained some files, but the contents of those files and whether they contain personal data remains under investigation,” the breach report says.  If personal data was obtained it is ‘likely associated with users of third-party services that supply this data to Gravy Analytics,’ Datatilsynet's  report says.  

The hacked data appears to have originated in thousands of apps that Gravy Analytics drew data from, including Tinder, Grindr, Candy Crush and several religious and pregnancy tracking apps. A preliminary investigation showed that some of the stolen files "could contain personal data."

Unacast also owns Venntel, a data broker that also provides the US government with location data. In December 2024 the Federal Trade Commission (FTC) ruled that Gravy Analytics and Venntel violated the FTC Act by unfairly selling non-anonymised consumer location data. The FTC also alleged the firms used that data without obtaining “verifiable user consent for commercial and government uses.”  

Gravy Analytics apparently continued to gather and use consumers’ location data even after realising it did not give “informed consent” for the collection, the FTC said.  

The FTC order is notable because it sets new limits on law enforcement usage of the companies’ location data for investigative purposes. Law enforcement and intelligence agencies have acknowledged that they obtain data from brokers that historically would only have been available with a warrant. 

404Media   |    Datatilsynet   |    NRK   |  Record   |      

Image: Ideogram

You Might Also Read:  

A Guide to Understanding Market-Leading Data Storage Solutions:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« EU Wants To Strengthen Cyber Defense In Healthcare  
Remote Deletion Of Malware Enforced On Thousands Of Computers  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

European Defence Agency (EDA)

European Defence Agency (EDA)

EDAs mission is to improve European defence capabilities. Programme areas include Cyber Defence.

Zayo

Zayo

Zayo is a leading global bandwidth infrastructure services provider for high-performance connectivity, secure colocation and flexible cloud services.

Fieldfisher

Fieldfisher

Fieldfisher's Technology, Outsourcing & Privacy Group has class-leading expertise in privacy, data & cybersecurity, digital media, big data, the cloud, mobile payments and mobile apps.

Redscan Cyber Security

Redscan Cyber Security

Redscan Cyber Security is a Managed Security Services Provider (MSSP) that enables businesses to effectively manage their information security risks.

Morphisec

Morphisec

Morphisec's world leading prevention-first software stops ransomware and other advanced attacks from endpoint to the cloud.

Packet Ninjas

Packet Ninjas

Packet Ninjas is a niche cyber security agency with specialized expertise in the use of digital intelligence to strengthen cyber security.

Stormshield

Stormshield

Stormshield is a European leader in digital infrastructure security. We offer smart, connected solutions in order to anticipate attacks and protect digital infrastructures.

Secnology

Secnology

Secnology is dedicated to developing and providing the most powerful and user friendly event analysis and security management solution.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

High Wire Networks

High Wire Networks

High Wire Network’s Overwatch Managed Security Plaform-as-a-Service offers organizations end-to-end protection for networks, data, endpoints and users.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

xorlab

xorlab

xorlab is a Swiss cybersecurity company providing specialized, machine-intelligent defense against highly engineered, sophisticated and targeted email attacks.

Sectyne

Sectyne

Sectyne is a full-stack cyber consultancy committed to providing tailored services, advisory consultations, and training.

eGeneration

eGeneration

eGeneration is one of the leading technology solutions and system integration companies in Bangladesh.