TL;DR: Hackers stole 17 terabytes of precise GPS location data from Gravy Analytics, a location data broker that collects data from smartphone apps and sells it to advertisers and government agencies, including DHS, FBI, and IRS. The data includes GPS coordinates, timestamps, and movement patterns from millions of phones worldwide, spanning years. This happened just weeks after the FTC banned Gravy from selling sensitive location data. The breach exposes how the entire location data ecosystem works: apps collect your location, brokers aggregate and sell it, government buys it to avoid warrants, and now all that data is in criminal hands.
What Was Stolen
Hackers claimed to have exfiltrated approximately 17 terabytes of data from Gravy Analytics and its subsidiaries:[1]
- GPS coordinates: Precise location data to within meters
- Timestamps: When you were at each location
- Movement patterns: Historical tracking spanning years
- Device identifiers: Data linked to specific phones
- App sources: Which apps collected the data
17 terabytes of location data is massive. For perspective, that's equivalent to millions of individual movement histories, enough to track where millions of people went, when, and for how long.[2]
Who Is Gravy Analytics
Gravy Analytics is a location data broker operating through:[3]
- Unacast: Parent company based in Norway
- Venntel: US subsidiary that specifically sells to government agencies
The business model is straightforward:
- Apps collect location data from your phone (often without meaningful consent)
- App developers sell this data to aggregators like Gravy
- Gravy compiles data from thousands of apps into comprehensive profiles
- Gravy/Venntel sells access to advertisers, businesses, and government agencies
Venntel specifically marketed to government buyers as a way to acquire location data without warrants: the "data broker loophole" that avoids Fourth Amendment protections.[4]
Government Customers
Gravy's location data was sold to multiple US government agencies:[4]
- Department of Homeland Security (DHS): For immigration enforcement
- FBI: For investigations
- IRS: For tax enforcement and investigations
- ICE: Through DHS contracts, for tracking potential deportation targets
- CBP: For border enforcement
When the government buys location data commercially instead of getting a warrant, it sidesteps constitutional protections. The Fourth Amendment limits government searches, but not private purchases.
Now all that data, the same data government agencies used for surveillance, is in the hands of whoever hacked Gravy Analytics.
Which Apps Tracked You
Location data comes from ostensibly innocuous apps:[1]
Weather Apps
Need location for forecasts. Also sell your GPS history to data brokers.
Games
Location-based features are optional. Location data collection often isn't.
Prayer Apps
Muslim prayer apps have been documented selling location data to data brokers with government contracts.
Navigation/Maps
Obviously need location. Less obviously sell your entire travel history.
When you grant "location permission" to an app, you're typically also granting permission to sell that data. The consent screen doesn't make this clear.
FTC Action, Too Late
In December 2024, just weeks before this breach, the Federal Trade Commission took action against Gravy Analytics and Venntel:[5]
- Banned selling sensitive location data without explicit user consent
- Prohibited collection at sensitive locations: healthcare facilities, religious sites, union halls
- Required data retention limits
But the FTC action came after years of unrestricted data collection. The data that was breached had already been collected and sold.
Closing the barn door after the horses escape, and after hackers steal the horses, isn't effective regulation.
The De-Anonymization Problem
Data brokers claim location data is "anonymized." Research consistently shows this is false:[6]
- Home location: Where your phone sleeps identifies your home
- Work location: Where your phone spends weekday mornings identifies your workplace
- Combined: Home + work uniquely identifies most people
- Movement patterns: Regular routines are fingerprints
Studies have shown that just four location points are typically sufficient to uniquely identify an individual. Gravy had years of data at 10-second intervals.
This data was never truly anonymous. Now it's in hacker hands.
What Hackers Can Do With This Data
Identify Individuals
Match location data to real identities through home/work patterns or cross-reference with other data sources.
Track Specific People
Journalists, activists, executives: anyone whose movements might be valuable to track.
Blackmail
Visits to sensitive locations (clinics, meetings, romantic partners) become extortion material.
Sell to Other Buyers
Foreign intelligence services, corporate espionage, stalkers: the market for location data is broad.
What You Can Do
Audit App Permissions
Review which apps have location access. Remove it from apps that don't need it. Set to "only while using" for those that do.
Delete Unnecessary Apps
That weather app isn't worth a permanent record of your location. Use browser versions of services instead.
Disable Advertising ID
On iOS: Settings > Privacy > Tracking. On Android: Settings > Privacy > Ads. This limits cross-app tracking.
Use Privacy-Focused Alternatives
Choose apps that don't monetize your data. Open-source alternatives often have better privacy practices.
The Bottom Line
The Gravy Analytics breach exposes the entire location data ecosystem's fundamental problem: data that's collected will eventually leak.
Everything you were promised, anonymization, security, responsible use, failed. The FTC finally acted, but years of data had already been collected. Government agencies used this data to surveil without warrants. Now hackers have it all.
17 terabytes of precise location data from millions of phones. Where people went. When. How long they stayed. Every sensitive location: clinics, religious sites, union meetings, protests, romantic encounters.
The apps that collected this data are still on your phone. They're still collecting. And the next breach is already being prepared. We just don't know about it yet.
The only real protection is to stop the collection in the first place.
References
- The Record - Gravy Analytics Breach 17TB Stolen (January 2025)
- 404 Media - Inside the Gravy Analytics Breach
- Kroll - Gravy Analytics Breach Analysis
- EFF - Government Location Data Purchases
- FTC - Action Against Gravy Analytics/Venntel (December 2024)
- Nature - Unique in the Crowd: Location Data De-anonymization