Gravy Analytics breach of location data puts millions of us at risk

In Data Breach News, News
January 13, 2025
Gravy Analytics breach of location data puts millions of us at risk
AI-generated image of gravy mess. The Data Breach Times.

As previously reported, a hacker claimed to have acquired a massive amount of data from Gravy Analytics. A sample of the data, confirmed by 404Media, was posted on a Russian-language forum by a user called “Nightly,” with a threat that if payment was not made, all of the data would be leaked. That post was subsequently removed and has not reappeared, leading many people to suspect that Gravy Analytics paid the hacker’s extortion demand. Gravy Analytics has not confirmed or refuted that.

Gravy Analytics compiled location data on people. The data was reportedly collected by apps people routinely and innocently installed on their phones, unaware that the apps were collecting and storing location data. Gravy Analytics’ activities drew federal attention. Prior to the hacking incident, the Federal Trade Commission had  announced that it was taking action against Gravy Analytics and its subsidiary Venntel Inc. for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship. Under a proposed order, Gravy Analytics and Venntel would be prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.

And then the breach happened.

TechCrunch reports that Gravy Analytics’ parent company, Unacast, disclosed the breach to Norway’s data protection authorities on January 11:

In its data breach notice filed with Norway, Unacast said it identified on January 4 that a hacker acquired files from its Amazon cloud environment through a “misappropriated key.” Unacast said it was made aware of the breach through communication with the hacker, but the company gave no further details. The company said its operations were briefly taken offline following the breach.

Gravy Analytics’ site was last indexed by archive.org on December 19. Is currently offline, with CloudFlare serving a cached copy from archive.org.

TechCrunch also reports that 30 million data points have been leaked so far. While the sample data posts have been removed, they live on in various screenshots around the internet, and in the hands of security firms and journalists who analyzed or reported on the breach. There is also a publicly available list of all the apps from which Gravy Analytics presumably obtained the location data. An alternative format and copy was also shared on Google. A thread on X (formerly Twitter) by Robert Baptiste, who had access to the sample, provides additional details.

Between the Gravy Analytics breach and the PowerSchool breach, 2025 does not seem to be getting off to a good start in terms of data protection.