Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
It's OSINT time! 👇
They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.
It's OSINT time! 👇
The samples include tens of millions of location data points worldwide.
They cover sensitive locations like the White House, Kremlin, Vatican, military bases, and more.
Time to dig in!
They cover sensitive locations like the White House, Kremlin, Vatican, military bases, and more.
Time to dig in!
Visualizing such a massive amount of location data is no easy task.
Google Earth Pro crashed at 500k location points, and our OSINT platform hit its limit at 1.5 million. Even if it is "just" a sample, rendering the entire dataset at once is a real challenge.
Google Earth Pro crashed at 500k location points, and our OSINT platform hit its limit at 1.5 million. Even if it is "just" a sample, rendering the entire dataset at once is a real challenge.
To address the burning question: no, I didn’t find any data points from Epstein Island 😁
Your mobile apps are sharing your location with companies like Gravy Analytics.
For instance, here are the locations of Tinder users in the UK.
For instance, here are the locations of Tinder users in the UK.
I extracted the package names of Android apps that "leak" user locations.
Yes, 3455 apps.
And remember, this is just a "sample."
gist.github.com/fs0c131y/f498b…
Yes, 3455 apps.
And remember, this is just a "sample."
gist.github.com/fs0c131y/f498b…
The locations in these samples are tied to an advertising ID: AAID for Android and IDFA for iOS.
By isolating a target's advertising ID, you can trace their location history.
For instance, this individual in Sevastopol stayed at this hotel.
By isolating a target's advertising ID, you can trace their location history.
For instance, this individual in Sevastopol stayed at this hotel.
While Europe spends years debating data regulations, the sad reality remains.
Maybe it’s time to (actually) take action?
Maybe it’s time to (actually) take action?
These samples also include an extract of the reference databases they use.
Now imagine: plotting military bases alongside millions of location data points on the same map.
You could potentially deanonymize military personnel worldwide.
Now imagine: plotting military bases alongside millions of location data points on the same map.
You could potentially deanonymize military personnel worldwide.
Protect yourself, open your phones:
- On Android: Go to Settings < Privacy < Ads < Delete advertising ID
- On iOS: Settings < Privacy & Security < Tracking < Allow Apps to Request To Track
- On Android: Go to Settings < Privacy < Ads < Delete advertising ID
- On iOS: Settings < Privacy & Security < Tracking < Allow Apps to Request To Track
This isn’t your typical data leak, it’s a national security threat.
By mapping military locations in Russia alongside the location data, I identified military personnel in seconds.
Again, this is just a "sample".
By mapping military locations in Russia alongside the location data, I identified military personnel in seconds.
Again, this is just a "sample".
The threat actor could potentially release the entire dump within a few hours.
If that happens, I’ll update the thread. Don’t forget to bookmark it! 😉
Stay tuned...
If that happens, I’ll update the thread. Don’t forget to bookmark it! 😉
Stay tuned...
Additional notes:
👉 The total size of the sample is 1.4 GB, containing 30,449,271 locations
👉 Based on the hacker’s claim of having 10 TB of history, the entire dataset would likely contain approximately 217,494,792,857 locations. 🤪
👉 The total size of the sample is 1.4 GB, containing 30,449,271 locations
👉 Based on the hacker’s claim of having 10 TB of history, the entire dataset would likely contain approximately 217,494,792,857 locations. 🤪
The sample’s location data is relatively recent, covering January 5, 2024, through January 2, 2025.
However, please note that only half of the entries include a timestamp.
[I corrected my previous tweet]
However, please note that only half of the entries include a timestamp.
[I corrected my previous tweet]
It doesn't make much of a difference, but I found older locations dated August 10, 2023, and September 17, 2023.
Time for some fun! I can now geofence 30M locations.
Got an "interesting" spot in mind? Drop it in the comments, and I'll check it out.
Here's an example: data points around the White House and their movements across the globe!
Got an "interesting" spot in mind? Drop it in the comments, and I'll check it out.
Here's an example: data points around the White House and their movements across the globe!
No results for area 51 😅
Example of deanonymization:
- Dec 29, 7:08 PM: Seen at Columbus Circle, NYC.
- Later: Returned home to a TN town with a registered locksmith business.
- Next day: Visited his mother, Carol. His father was an USAF vet and passed 3 years ago.
Yes, you can be tracked.
- Dec 29, 7:08 PM: Seen at Columbus Circle, NYC.
- Later: Returned home to a TN town with a registered locksmith business.
- Next day: Visited his mother, Carol. His father was an USAF vet and passed 3 years ago.
Yes, you can be tracked.
For privacy, disable location and Wi-Fi when not needed to avoid being tracked.
If an app shows ads, uninstall it. It likely shares your location with third parties.
If an app shows ads, uninstall it. It likely shares your location with third parties.
https://twitter.com/fs0c131y/status/1876993531589402772
Q: What platform is shown in the screenshots?
A: It’s the @PredictaLabOff OSINT platform, designed for law enforcement (non-public). For public tools, check out predictasearch.com and predictagraph.com.
A: It’s the @PredictaLabOff OSINT platform, designed for law enforcement (non-public). For public tools, check out predictasearch.com and predictagraph.com.
@PredictaLabOff Q: Do these apps send my location directly to Gravy Analytics?
A: Not directly. Advertisers use complex systems to target ads based on your profile. Ultimately, companies like Gravy Analytics collect and resell your data, including to government agencies.
A: Not directly. Advertisers use complex systems to target ads based on your profile. Ultimately, companies like Gravy Analytics collect and resell your data, including to government agencies.
@PredictaLabOff Q: Should I put on my foil hat now?
A: Not really. This isn’t new and is well-known to specialists. If you value your privacy, following the advice in the thread is already a solid step forward.
A: Not really. This isn’t new and is well-known to specialists. If you value your privacy, following the advice in the thread is already a solid step forward.
@PredictaLabOff Q: Is this leak special somehow?
A: Yes, such a large volume of data being public is rare. But it’s just a fraction, Gravy Analytics processes 7 billion locations daily, while this leak contains “only” 30 million.
A: Yes, such a large volume of data being public is rare. But it’s just a fraction, Gravy Analytics processes 7 billion locations daily, while this leak contains “only” 30 million.
@PredictaLabOff Q: But what about GDPR and regulations?
A: There’s a gap between political debates and reality. This thread offers just a small glimpse of how your data is actually handled.
A: There’s a gap between political debates and reality. This thread offers just a small glimpse of how your data is actually handled.
The sample includes a "users" file, a SQL dump of the "customers" table, featuring names like Google, Uber, eBay, Grindr, Babel Street, LiveRamp, Spotify, ...
Gravy Analytics has some major clients 👀
Gravy Analytics has some major clients 👀
• • •
Missing some Tweet in this thread? You can try to
force a refresh
