A major data breach at Gravy Analytics, a prominent location data broker, has potentially exposed vast amounts of sensitive smartphone location data, including information previously sold to U.S. government agencies.
Hackers claim to have exfiltrated approximately 17 terabytes of data from the company's systems, marking what security experts call a watershed moment for location data privacy.
The breach, discovered in January 2025, has affected Gravy Analytics and its subsidiary Venntel, which provides location data services to various U.S. government agencies, including the Department of Homeland Security (DHS), Internal Revenue Service (IRS), and Federal Bureau of Investigation (FBI).
The attackers shared initial samples totaling 1.4GB on a Russian cybercrime forum called XSS, containing over 30 million location data points spanning multiple countries.
Security researcher Baptiste Robert analyzed the leaked samples and found they contained precise latitude and longitude coordinates tied to advertising IDs (AAID for Android and IDFA for iOS), along with timestamps that could reveal individuals' movements.
The data spans multiple countries, including the United States, Russia, Mexico, Morocco, and several European nations. Particularly concerning is the inclusion of sensitive locations such as the White House, Kremlin, Vatican, and military bases.
The breach appears extensive, with hackers claiming root access to Gravy Analytics' Ubuntu servers, control over the company's domains, and access to Amazon S3 buckets dating back to 2018.
The attackers have threatened to publish the entire dataset if the company fails to respond within 24 hours.
This security incident comes at a particularly sensitive time for Gravy Analytics, following recent regulatory action. In December 2024, the Federal Trade Commission (FTC) took sweeping action against both Gravy Analytics and Venntel, alleging violations of consumer privacy laws through the collection and sale of sensitive location data without proper user consent.
The FTC's proposed order would ban the companies from selling or disclosing sensitive location data except in limited circumstances involving national security or law enforcement.
Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, while speaking with 404 media, warns that this breach represents "the nightmare scenario all privacy advocates have feared."
The compromised data could enable the deanonymization of individuals and create tracking risks for high-risk individuals such as activists, journalists, and military personnel.
At the time of writing, Gravy Analytics’ website remains offline, with "503 Service Temporarily Unavailable" message.
The incident has sparked renewed calls for stronger federal privacy protections and increased oversight of the data brokerage industry.
This breach serves as a stark reminder of the privacy implications of smartphone apps sharing location data with third-party companies, and the potential consequences when such information falls into unauthorized hands.
Robert has extracted the package names of Android apps from the released sample data that "leak" user locations, and there were 3455 apps in the list.
Users are advised to review their mobile privacy settings and consider disabling or limiting location tracking permissions for apps when possible.
Protect yourself, open your phones:
- On Android: Go to Settings > Privacy > Ads > Delete advertising ID
- On iOS: Settings > Privacy & Security > Tracking > Allow Apps to Request To Track