In what is being treated as a major international data breach, it is being reported that hackers have targeted US company Gravy Analytics (GA) which brokers location data for thousands of popular apps.
Many companies collect customers’ locations when they use its app. This data is then sold either directly or indirectly to a company like GA which itself will then sell the data onto somebody else such as hedge funds, insurance firms, or Government agencies.
Alan Woodward, professor of cybersecurity at the University of Surrey said: “It’s the loss of privacy that should be of greatest concern. You can immediately see how location history or very recent location could be a great way of socially engineering someone in a scam for further unauthorised access.”
Second-hand marketplace, Vinted, is thought to be one of the apps potentially impacted by the hack (Photo: NurPhoto/Getty)
As well as posting the location details of millions of users, the hacker also detailed the over 10,000 apps where the location data originated. It listed apps including Vinted, Spotify, Candy Crush, and dating app Tinder as examples.
They said: “We are taking this matter seriously, as the safety of our members is a top priority. We are actively looking into the situation to determine whether our platform or members may have been affected, including any potential indirect impact through third parties. At this time, we do not have enough information to confirm any connection or impact.”
Russian hacking software used to steal hundreds of MoD log-ins
Read MoreThe hack, which is believed to be a blackmail attempt, is also thought to contain the GPS locations and IP addresses from millions of phones using popular apps and is understood to contain location histories of individuals, potentially spanning several years.
The i Paper has learned the hacker could have obtained upwards of 10 terabytes of data which is many thousands of times larger than what has already been released on the dark web. If true, it will represent one of the most significant hacks in recent history.
The breach highlights the growing concern around mobile apps being able to track user’s locations. As part of a standard practice of data brokering, many popular apps constantly track users to generate data which can then be used by third parties to launch targeted marketing campaigns.
The firm also works with thousands of companies to hoover up location data and help clients understand the movements of their users for tailored advertising and marketing.
Matt Gull, Global Head of Threat Intelligence and cyber security expert NCC Group, said: “For cybercriminals and nation-states alike, data is one of the key commodities in cyberattacks. In the event of a breach, malicious groups can exploit data not only for extortion but also to sell it on to other criminals, who can use it to commit further offences such as fraud and identity theft. This latest data breach at Gravy Analytics threatens to expose the location data of millions of users, underscoring the urgent need for robust data protection measures.”
The Government’s National Cyber Security Centre (NCSC) was also approached for comment.
What is location data and how might the hack impact you?
By Chris Stokel-Walker
The hack of Gravy Analytics is a major development – but what is the data in question, and does it matter to us that it’s being traded?
What is location data?
The clue is in the name: it identifies you – or more accurately, your device’s – location. It can be obtained in different ways, said Alan Woodward, professor of cybersecurity at the University of Surrey. “The most obvious way is when location services are enabled on a mobile device,” he explained.
When an app asks for permission to use your data, for instance in the case of Vinted to find nearby sellers, and you grant permission to that app, you do so either for a single use, only while using the app, or permanently. “Some people give it access ongoing rather than just not when the app is in use,” said Woodward.
How is the data extracted?
Generally, this data is obtained by seeing where a mobile phone pings base stations on a phone network. When you travel around the country, within an area or inside a town or city, your mobile phone seeks out the nearest possible phone mast to obtain service. This can be triangulated to identify your movements.
The Information Commissioner’s Office, the UK data protection authority, officially classes only data obtained in this way as location data.
But phones can provide their location in other ways, such as from GPS signals, which is a radio signal transmitted from satellites orbiting the Earth that do something similar. Public wi-fi networks, and Bluetooth beacons, can also identify a phone’s location.
How is location data used?
Location data can be a boon for legitimate service providers. For many mobile food ordering apps, for instance, it can help identify when you’re in one branch of a pub or restaurant rather than another, or can be used by ridesharing and taxi services to pinpoint where exactly to pick you up. GPS location data is accurate to within around five metres.
It can also be used to tailor adverts or other services, said Woodward. “Some marketing companies do determine location, including inferring it from your browser and device when you access a site, and use this to target ads,” he explained.
Location data can be highly valuable to legitimate businesses, which is why firms like Gravy Analytics operate. One estimate valued the location data services industry at $21bn – a number only likely to have risen since. And if it’s of value to legitimate providers, it’ll be valuable to bad actors.
Who is most at risk of location data being hacked and sold or ransomed?
Anyone, in a word. “It’s the loss of privacy that should be of greatest concern,” said Woodward. “You can immediately see how location history or very recent location could be a great way of socially engineering someone in a scam for further unauthorised access.” If, for instance, a hacker can see that you’ve recently been to a bank or doctor’s office, they could then send you messages pretending to be that organisation, convincing you to hand over personal data.
How can you minimise your risks?
The simplest way is to be judicious about when, and to whom, you grant access to your location data. Many apps ask for vast volumes of information, because it allows them to build up a better picture of who you are, and therefore makes the information they hold about you more valuable to sell to advertisers.
But they don’t need that level of detail, and the improvements they offer individual users for handing over that data are minimal. So check within your phone’s settings which apps have location data permanently turned on, and switch them off – only allowing them access when utterly necessary.
Read More Details
Finally We wish PressBee provided you with enough information of ( Millions of Vinted, Spotify and Tinder users’ data could be compromised in global hack )
Also on site :