Explore how Gravy Analytics' massive data breach threatens global user privacy, revealing sensitive location info and fueling new security fears.

Continue reading
Gravy Analytics Data Breach Exposes Millions to Location Privacy Risks
In an alarming development that underscores the vulnerabilities of the lucrative location data industry, Gravy Analytics and its parent company Unacast have disclosed a major data breach that could affect the privacy of millions of smartphone users worldwide. The breach, which hackers claim involves the theft of several terabytes of data, highlights the deep-rooted dangers of granular location tracking and the broader implications for personal privacy and national security.
Initial reports of the data breach surfaced in early January, when a hacker posted screenshots of highly sensitive location data on a Russian-language cybercrime forum. According to initial findings:
In compliance with Norwegian law, Unacast—founded in Norway in 2004 and merged with Gravy Analytics in 2023—filed a data breach notice with the Norwegian Data Protection Authority. Unacast confirmed it had briefly taken its operations offline following the discovery of the breach.
So far, more than 30 million location data points have been leaked, representing a fraction of what the hacker allegedly stole. Security researchers examining the sample noted several potentially sensitive locations within the dataset:
According to Baptiste Robert, CEO of digital security firm Predicta Lab, the leaked data can pinpoint users’ movement between home and work, making them easily identifiable. Potentially, this data could be used for deanonymization, revealing a person’s identity through consistent location patterns.
A significant portion of Gravy Analytics’ location data is collected via the real-time bidding (RTB) process, a behind-the-scenes ad auction that occurs in mere milliseconds. When you open an app or a webpage that displays ads:
App developers sometimes do not realize the extent to which user data is being harvested. Even apps that claim no direct partnerships with Gravy Analytics—such as FlightRadar, Grindr, and Tinder—may inadvertently share location information simply by embedding third-party ad networks.
Experts warn that seemingly “anonymous” data becomes easily deanonymized when cross-referenced with other publicly available or leaked databases. One example cited a user traveling from New York to their home in Tennessee, making them easy to identify once both data points are connected.
While no official list of “compromised apps” exists yet, researchers found location data from:
Many of these services deny any direct contractual ties to Gravy Analytics but acknowledge that they display in-app ads. Because the digital advertising ecosystem is complex, a single ad auction can expose a user’s data to multiple unseen bidders simultaneously.
Only weeks before the breach, the Federal Trade Commission (FTC) issued an order against Gravy Analytics and its subsidiary Venntel, banning both companies from collecting and selling the location data of U.S. users without explicit consent. The FTC had accused Gravy Analytics of illegal tracking at sensitive locations like healthcare facilities and military bases.
As location data is commonly shared during every digital ad auction, minimizing your exposure can significantly reduce risks. Here are some best practices:

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been