A massive data breach at location data broker Gravy Analytics has exposed tens of millions of people's location data, sparking concerns about individual privacy and national security. The breach, which was first reported by independent news outlet 404 Media, involves a hacker claiming to have stolen several terabytes of consumers' data from Gravy Analytics, including historical location data from top consumer phone apps.

The full scale of the breach is still unknown, but the leaked data represents tens of millions of location data points, revealing where people have been, live, work, and travel between. The data includes information from fitness and health, dating, and transit apps, as well as popular games. Gravy Analytics, which claims to track more than a billion devices around the world daily, has acknowledged the breach and notified data protection authorities in Norway and the UK.

The breach was discovered on January 4, when a hacker posted screenshots of location data on a closed-access Russian language cybercrime forum. Unacast, the parent company of Gravy Analytics, disclosed the breach in a notice filed with Norway's data protection authorities, stating that a hacker had acquired files from its Amazon cloud environment through a "misappropriated key." The company's operations were briefly taken offline following the breach.

Data privacy advocates have long warned about the risks posed by data brokers like Gravy Analytics, which collect and sell consumers' location data without their consent. Researchers who have analyzed the leaked data say it can be used to extensively track people's recent whereabouts, including devices located at sensitive locations such as The White House, the Kremlin, and military bases around the world.

The leaked data also includes information about individuals' daily routines, allowing for easy deanonymization of ordinary people. In one example, the data tracked a person as they traveled from New York to their home in Tennessee. The dataset has also raised concerns about the safety of LGBTQ+ users, whose location data derived from certain apps could identify them in countries that criminalize homosexuality.

Gravy Analytics sources much of its location data from the online advertising industry, specifically from a process called real-time bidding. During this process, advertisers can see information about devices, including IP addresses, which can be used to infer a person's approximate location. Data brokers like Gravy Analytics can combine this information with other data to paint a detailed picture of someone's life and whereabouts.

Analyses of the location data have revealed thousands of ad-displaying apps that have shared bidstream data with data brokers, often unknowingly. Popular apps such as FlightRadar, Grindr, and Tinder have denied any direct business links to Gravy Analytics, but acknowledged displaying ads. However, by the nature of how the advertising industry works, it is possible for ad-serving apps to have their users' data collected without their knowledge or consent.

In light of the breach, digital rights groups are urging users to take measures to protect themselves from ad surveillance. Using ad-blockers or mobile-level content blockers can be an effective defense against ad surveillance. Android devices and iPhones also have device-level features that make it more difficult for advertisers to track users between apps or across the web. Users can also take steps to prevent apps from accessing their precise location when it's not required, reducing their data footprint.

The breach at Gravy Analytics comes weeks after the Federal Trade Commission banned the company and its subsidiary Venntel from collecting and selling Americans' location data without their consent. The FTC accused the company of unlawfully tracking millions of people to sensitive locations, including healthcare clinics and military bases.

The incident highlights the need for stronger regulations on data brokers and the online advertising industry, which often prioritize profits over individual privacy. As the investigation into the breach continues, users are left to wonder about the extent of the damage and the potential consequences for their safety and security.