A recent data breach has revealed how popular apps (Tinder, Grindr, Candy Crush etc.) may have unknowingly participated in the harvesting of sensitive location data.[1] The data was collected through the advertising ecosystem and even the app developers might not have been aware of it. This breach, which involved location data company Gravy Analytics, reveals a major privacy issue where users’ sensitive information was captured and sold to third parties.[1]
Gravy Analytics is one of the major location data companies that obtain mobile phone location data from other sources and it sells to both commercial clients and government agencies. The breach exposed tens of millions of mobile phone coordinates from the US, Russia and Europe associated with apps that ranged from dating sites such as Tinder to fitness apps such as MyFitnessPal and even apps for prayer among Muslims and Christians. Many of the users probably did not even know their location data had been sold to these companies without consent.[1]
The data in question was harvested through a process called real-time bidding (RTB), a very common practice in the online advertising industry.[3] RTB allows companies to bid for ad space in apps, but in the process they can also access user location data including other private data. This means that data brokers (Gravy) can listen in on this bidding process and collect data on users’ mobile devices, even without their knowledge. The information is often used to target ads but in this case it was sold to various entities including US law enforcement agencies for surveillance purposes.[1]
Location data companies used to pay app developers to include code that collected user data directly. However, the breach has shown that companies are increasingly turning to the advertising ecosystem as a means of acquiring this data. RTB data provides a way to acquire location information through the bidding process, which means that some companies can gather users’ location data without the app developers’ knowledge or involvement. This has been a big concern in terms of privacy, because no one is sure who is responsible for the collection and use of the data.[1]
Several apps listed in the breach (Moovit, Flightradar24, My Period Calendar) have denied any involvement with Gravy or knowledge of the data collection. Tinder and Muslim Pro also denied that they authorized Gravy to collect location data, though they did acknowledge using advertising networks that may have been involved in the data collection process. This situation raises the question of whether app developers are truly aware of how their apps are being used in the larger advertising ecosystem.[1]
Gravy Analytics was accused for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship by The Federal Trade Commission (FTC) in the end of 2024. The FTC has finalized an order last week stopping Gravy Analytics and its subsidiary Venntel, from unlawfully tracking and selling sensitive location data. The FTC found that the companies violated privacy laws by collecting and selling this data without users’ consent. The companies are now banned from selling or using sensitive location data, except in limited cases like national security or law enforcement and must create a program to protect sensitive data.[4]
The data breach highlights a crucial issue: users may be unaware of how their private data is being collected, used and sold. Even though some apps claim to protect user privacy, the broader advertising ecosystem might still allow data collection through third-party networks. As real-time bidding becomes more widespread, it is essential that both app developers and users become more aware of how their data is being handled and take steps to protect their privacy.
References:
[1] https://www.wired.com/story/gravy-location-data-app-leak-rtb/
[2] https://www.linkedin.com/pulse/breach-gravy-analytics-location-data-threatens-privacy-millions-vosbc
[3] https://en.wikipedia.org/wiki/Real-time_bidding
[4] https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-order-prohibiting-gravy-analytics-venntel-selling-sensitive-location-data
This is really concerning and shows how much we need better privacy rules. It’s shocking that sensitive location data from apps like Tinder and even prayer apps was collected and sold without people knowing. The FTC taking action against Gravy Analytics is a good start, but it makes you wonder if app developers and ad networks are doing enough to protect our privacy. It’s a good reminder to always check what permissions we’re giving to the apps we use!
It’s scary how our location data can be collected and sold without us knowing. The Gravy Analytics breach involving apps like Tinder and Candy Crush really shows the need for better privacy protection. The FTC’s action against Gravy Analytics is a step in the right direction. Great Article, Nazim!
Reading articles like this can really make you think—are data breaches just something we have to accept? It’s true that cybersecurity is getting better, data management is smarter, and people are becoming more aware of privacy risks, all of which help reduce vulnerabilities. However, human error, constantly evolving cyber threats, and the huge amounts of data being collected every day still make breaches a very real risk. That’s why it’s so important for companies to stay ahead with their security measures, and for all of us to stay alert. While we can’t predict when a breach might happen, the risk is always there—which is exactly why having strong defenses and proactive strategies is more crucial than ever.
Interesting post. I used to consistently use Muslim Pro to track prayer times and other features, but after hearing concerns about data privacy with the app, I decided to delete it and find an alternative. Location data is a highly sensitive one, and it is alarming how it can be collected and sold without user consent, especially through certain practices like real-time bidding. Thanks for this, it is reassuring to know that the root cause has been identified and addressed by the FTC taking action against Gravy Analytics. Hopefully, these companies do better in protecting user data because that is the main driver of their platforms.
Great post, Nazim! Privacy violations like this make it assuring that Google and Apple are rolling out more stringent controls for how users’ allow their personal information to be used; Google’s fine-grained control over Location (Fine/Coarse, only when the app is in use), would hopefully give users the ability to restrict such sensitive access, especially for apps like Candy Crush where it is wholly unnecessary for the app’s function. While we have seen that users are far more prone to just click accept to everything, as with terms and services, an eventual future where users can unambiguously deny access to their personal information—even if such denial would prevent the application from working—would at the very least give users an informed choice of what data they would be giving away to use the application, and whether that trade is acceptable to them.
This is really concerning because innocent individuals privacies are breached without their consent or knowledge, and it is scary to think that our movements could be tracked and now potentially exposed because of this hack. It makes you wonder about the safety of our personal data, especially when it’s collected by companies we’ve never even heard of until something like this happens.
Great post Nazim!!!1
Great post Nazim! It is incredible the amount of data that third party services can collect from you, even Candy Crush! Although it is true that regular users don’t check the terms and services thoroughly and we may miss some points, keeping personal information secured should be a priority. It is important to verify that PI is stored and categorized correctly, also it is important to inform users about the data breach so they can take extra measures. Thanks for the information!
Great post Nazim! I read Gravy Analytics’ January 2025 fact sheet, and it’s surprising to see that despite their claims of not collecting data directly from apps or using mobile SDKs, the recent breach reveals how real-time bidding can still allow data to be gathered and sold without app developers even realizing it. This shows some disturbing concerns about transparency in the advertising ecosystem. Even with compliance measures in place, it’s clear that users and developers might not have full control over how their data is shared and used.
Link to Gravy Analytics’ Fact sheet – [https://474803.fs1.hubspotusercontent-na1.net/hubfs/474803/Gravy%20Analytics%20Fact%20Sheet%20%26%20FAQs_01222025.pdf]
Great post, Nazim! This data breach really flashes a light on how little control users have over their location data. Real-time bidding in the ad ecosystem means that data collection could be common with absolutely no explicit consent from users, let alone knowledge by the app developers. For improving privacy preserving we can cultivate increased transparency from app developers on their practices for sharing data, stricter regulation of data brokers, and better equipping users with more granular control over location data through more explicit privacy settings and opt-out options. Besides that, increasing public awareness is required about the dangers involved in data collection through RTB.