Millions of people using some of the world’s most popular apps may have had their locations leaked in a major hack.
Tinder, Spotify, Citymapper, Mumsnet and Sky News were among hundreds of companies named in a sample list of apps linked to the breach.
Hackers appear to have targeted a US location tracking firm Gravy Analytics. It collects information through smartphones, including peoples’ precise movements, and then provides it to other companies or governments.
More than 10 terabytes of data is thought to have been stolen, with Russian-speaking hackers sharing a sample of the stolen information on a well-known hacking forum.
Baptiste Robert, founder of Predicta Lab, a company that provides tools for online privacy and security, analysed the sample and was able to easily identify individuals around military bases and government offices, as well as details about people’s homes and family lives.
He also told Sky News the apps named in the leak weren’t necessarily working with Gravy Analytics.
Instead, he said, software development kits used in the apps appeared to be sending off users’ location data.
Graeme Stewart, from cyber security firm Check Point, told Sky News: “This is a new type of hack.
“It’s not just your personal details, it’s really quite intimate details about your life and what you’re doing and how you’re doing it.”
The company at the centre of the hack, Gravy Analytics, sells the data of thousands of apps used all around the world.
It can see granular details about users, down to whether you’re using your phone on the bus or on the toilet, according to Mr Stewart.
“It’s that level of detail which suddenly gives people the ability to make really quite deep distinctions and deep observations about your life and use that against you,” he said.
Read more:
‘Stuck’ NASA astronauts ‘not castaways’
OpenAI boss denies sister’s sexual abuse claims
Musk and the grooming gang scandal
Tech news outlet 404 Media first reported the hack and saw the sample data.
It includes precise latitude and longitude co-ordinates of people’s phones, and the time at which the phone was there, according to 404 Media.
What you can do
In order to protect from hacks like this, Mr Robert suggested users turn off their location when it isn’t needed, as well as WiFi.
He also recommended Android users delete their advertising ID and iOS users turn off “Allow Apps to Request To Track” in the privacy and security settings.
Named companies say they do not work with Gravy Analytics
A source with an understanding of the leak told Sky News that Tinder may be named because it is downloaded on phones with apps that work with Gravy Analytics.
The source suggested that the tracking company could have the ability to pull the names of other downloaded apps on the device.
“Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app,” a Tinder spokesperson told Sky News.
Other companies named in the leaked data told Sky News they don’t work with Gravy Analytics or even track user location data.
Spotify said it could confirm “no Spotify user data is involved in this hack”.
A source at Sky said the company is urgently reviewing the alleged incident and doesn’t appear to have a commercial relationship to Gravy Analytics.
Gravy Analytics has been approached for comment.