Some iPhone owners may have been protected by a feature that was introduced with iOS 14.5.
Gravy Analytics recently disclosed the data breach that resulted in exfiltration of location data
Photo Credit: Pexels/ Sora Shimazaki
A data breach has exposed the precise location information provided by millions of users to popular apps that serve advertisements, including dating apps, games, email clients, and even a period tracking app. A hacker who claimed responsibility for breaching data broker Gravy Analytics managed to collect data that could reveal users' location information, including their home and workplace. Data collected from iOS and Android smartphones was affected in the breach, but some iPhone owners may have been protected by a feature that was introduced with iOS 14.5.
A recent 404 Media report revealed that a hacker had breached Gravy Analytics, a data broker that collects and monetises location information from applications that are designed for iOS and Android smartphones. It resulted in the exfiltration of customer lists as well as location information from smartphones "which show people's precise movements".
The firm's parent company, Unacast, disclosed to Norwegian authorities (via NRK) that a hacker managed to use a "misappropriated key" to access data via its cloud-based storage. The incident took place on January 4, according to the company's disclosure. However, the document doesn't reveal information related to the scale of the data breach.
According to Predicta Lab CEO Baptiste Robert, who accessed a 1.4GB sample of the leaked information, the data includes "tens of millions of location data points", including military bases, as well as the Kremlin, the White House, and even the Vatican.
Robert also stated that the sample contained a list of 3,455 package names for Android that leaked user data, while pointing out that this was only a subset of the breached data. These reportedly include popular apps like Tinder, Grindr, Candy Crush, MyFitnessPal, Subway Surfers, Tumblr, and even Microsoft 365
According to Robert, the sample of the data from the breach reveals that the location data is linked to a device's advertising ID. On an Android smartphone, a user's location is connected to their Android Advertising ID (AAID), a unique 32-digit identifier that can be reset by users. Meanwhile, iPhone users' location is tied to the Identifier for Advertisers (IDFA), a unique alphanumeric string that is assigned to a device.
This means that iPhone owners who are running on iOS 14.5 or later, which includes App Tracking Transparency (ATT), were protected if they selected the Ask App Not to Track option. When a user selects this option, iOS returns an empty value instead of their IDFA. Apple also allows users to block all requests to track users by default.
The expert says iPhone owners can navigate to Settings > Privacy & Security > Tracking and disable the Allow Apps to Request To Track toggle, while Android users can head to Settings > Privacy > Ads and tap on Delete advertising ID.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.