Russian-speaking hackers are believed to have stolen a huge trove of location data pulled from people’s phones around the world.
Tens of millions of phone coordinates pinged through the use of thousands of popular apps are said to have been accessed.
Experts said the information can be used to reveal ‘intimate’ details of people’s movements down to whether they were using their phone on the bus or on the toilet.
A post which appeared earlier this month on a well-known hacking forum contained a 1.4-gigabyte sample of what the author claimed to be more than 10,000 gigabytes of data taken from Gravy Analytics, a company which collects location data from phone use and sells it on.
A number of cyber security experts have analysed the sample and said it appears to be real information linked to the use of popular apps.
The apps include Spotify, Citymapper, Tinder, Grindr, Candy Crush, Temple Run, My Period Calendar & Tracker and MyFitnessPal, according to a list of thousands compiled by tech news outlet 404 Media.
The companies behind many of the named apps have said they do not work with Gravy Analytics, and some have said they do not track user location data at all.
Spotify claims it has confirmed that ‘no Spotify user data is involved in this hack’, while Tinder said it found ‘no evidence that this data was obtained from the Tinder app’.
But experts have said the information could have been collected through advertising linked to the apps, rather than the code of the apps themselves.
It’s thought that a large amount of data on how people are using their phones is collected from their interactions with ads which appear on apps, often without the knowledge of users or the apps’ developers.
Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, told 404 Media: ‘For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising “bid stream”.’
Some of the named apps, such as Grindr and Muslim Pro (a Muslim prayer app) have said they do not allow ad networks to collect users’ location data.
The Gravy Analytics hack is said to include coordinates pulled from devices in Europe, the US and Russia.
The sample data has been removed, although a number of experts were able to download and analyse it in the meantime.
Gravy Analytics, which claims to track more than a billion devices around the world daily, has yet to publicy comment on the matter.
Its parent company, Norwegian firm Unacast, is understood to have disclosed a breach to data protection authorities in Norway and the UK.
The notice filed in Norway said a hacker had acquired files from its Amazon cloud space using a ‘misappropriated key’, according to News.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
MORE: Someone looked over my shoulder and then robbed me of £22,600
MORE: Warning to anyone with these ‘dangerous’ Android apps: ‘Delete them now’
MORE: Popular tip to defrost your car could land you a fine — here’s how to do it properly
