Full Report
A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.
Analysis Summary
# Incident Report: Mass Location Data Harvesting via Advertising Ecosystem
## Executive Summary
Thousands of popular mobile applications (including games, dating, and utility apps) served as unwitting sources for a massive harvest of sensitive user location data, which ultimately flowed to location data broker Gravy Analytics (whose subsidiary Venntel sells data to US law enforcement). The alleged primary attack vector was attackers co-opting the Real-Time Bidding (RTB) advertising stream rather than exploiting vulnerabilities within the apps themselves. The confirmed impact is the potential exposure of tens of millions of location coordinates tied to specific apps, raising severe privacy concerns. The incident came to light through the publication of hacked files reportedly stolen from Gravy.
## Incident Details
- Discovery Date: Undisclosed, reported by 404 Media upon reviewing leaked files.
- Incident Date: Data appears to date from at least 2024 (based on app versions cited).
- Affected Organization: Gravy Analytics (data source/storage location); numerous third-party apps affected as data originators.
- Sector: Location Data Brokerage, Advertising Technology (AdTech).
- Geography: Global data set including devices in the US, Russia, and Europe.
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated, but data indicates activity in 2024.
- Vector: Real-Time Bidding (RTB) advertising stream interception/harvesting.
- Details: Attackers (or rogue actors within the industry) exploited the RTB bidding process where location data is broadcast, harvesting it in bulk rather than relying on traditional SDK ingestion embedded in apps.
### Lateral Movement
- Not applicable in a traditional sense. The incident details a bulk data acquisition/harvesting mechanism rather than network intrusion into user devices or app servers.
### Data Exfiltration/Impact
- Tens of millions of mobile phone coordinates, correlated with the name of the originating application, were compromised/leaked via hacked Gravy files.
- The data was revealed to be linked to Gravy Analytics' infrastructure (Snowflake instances).
### Detection & Response
- Detection: The incident was uncovered by 404 Media after obtaining and reviewing hacked data files allegedly sourced from Gravy Analytics.
- Response actions taken: Security researchers analyzed the leaked data to create lists of affected applications and confirm data source integrity (e.g., checking Snowflake credentials). Researchers communicated findings publicly, leading to increased scrutiny of the AdTech data supply chain.
## Attack Methodology
- Initial Access: Interception/harvesting of high-volume data streams via Real-Time Bidding (RTB) bid stream.
- Persistence: Not applicable; this was a bulk acquisition/harvesting event impacting data collection processes.
- Privilege Escalation: Not applicable.
- Defense Evasion: The method bypassed direct application security concerns, instead leveraging the accepted, albeit privacy-invasive, functionality of the AdTech ecosystem to acquire data without direct user or developer consent knowledge.
- Credential Access: Hacked files reportedly contained credentials for Gravy’s Snowflake data warehousing instances.
- Discovery: Reconnaissance was performed by researchers analyzing the leaked dataset to identify originating applications.
- Lateral Movement: Not applicable.
- Collection: Bulk collection of mobile phone coordinates linked to application identifiers.
- Exfiltration: The data was reportedly exfiltrated from Gravy's storage infrastructure, as evidenced by the data being posted publicly following a hack on that infrastructure.
- Impact: Massive privacy exposure of location histories associated with specific apps.
## Impact Assessment
- Financial: Not disclosed. Potential regulatory fines related to prior FTC actions against Gravy/Venntel may apply.
- Data Breach: Tens of millions of location coordinates (US, Russia, Europe) linked to specific apps (e.g., Tinder, Candy Crush, religious apps, VPNs).
- Operational: No direct operational disruption to the affected end-user applications was reported; the disruption was to the data broker supply chain.
- Reputational: Significant negative reputational damage to Gravy Analytics and the wider AdTech data brokerage industry, highlighting systemic privacy failures.
## Indicators of Compromise
- Network indicators: None provided (URLs/IPs defanged or unavailable).
- File indicators: Hacked files reportedly contained credentials for Gravy’s Snowflake instances (internal indicators).
- Behavioral indicators: Bulk data ingestion observed via the RTB bid stream process, characteristic of mass harvesting rather than standard SDK integration.
## Response Actions
- Containment measures: Not explicitly detailed regarding the initial breach of Gravy's system.
- Eradication steps: Not applicable to the harvesting technique itself, though the FTC previously ordered Gravy/Venntel to delete historical location data.
- Recovery actions: Researchers published lists of affected apps for public awareness; industry scrutiny increased regarding RTB data sourcing.
## Lessons Learned
- Key takeaways: The Real-Time Bidding (RTB) infrastructure represents a massive, largely unscrutinized vector for large-scale location data harvesting, often without the knowledge of app developers or users. Data brokers acting as intermediaries (like Gravy/Venntel) aggregate vast amounts of sensitive location information and supply it to government agencies.
- What could have been done better: Stricter regulatory oversight and technical auditing of the RTB data stream, similar to the FTC's action against Mobilewalla, are crucial to prevent data brokers from using the advertising process solely for dataset building.
## Recommendations
- Implement mandatory, auditable consent mechanisms for all data shared through the advertising bid stream, ensuring data is only used for its intended advertising purpose.
- Location data brokers must be subject to stringent third-party audits to verify the provenance and legality of the data they ingest via AdTech channels.
- Organizations, especially those handling sensitive data (e.g., VPNs, health apps), must rigorously vet any third-party SDKs or advertising partners to ensure location data is not being inadvertently sold or harvested via RTB.