An alleged hacker has made claims of successfully breaching U.S. location tracking firm Gravy Analytics, as per screenshots of the declaration being circulated online. The specifics of how and when the breach transpired remain unclear. A post in Russian and screen captures shared early Sunday on XSS, a platform frequented by attention-seeking cybercriminals, asserted that the company had been hacked and a substantial amount of data had been stolen. Despite efforts to reach out to the individual behind the posts, their contact details could not be immediately located, with the dissemination of the information being noted by tech publication 404media.
Efforts to establish contact with location intelligence company Unacast, which had recently announced a merger with Gravy in 2023, were unsuccessful. Furthermore, Gravy’s website was inaccessible, and repeated attempts to make contact went unanswered. When approached at Unacast’s modest office in a coworking space in Ashburn, Virginia, a gentleman stated that he was not authorized to engage with the media on the matter.
Several experts who scrutinized approximately 1.4 gigabytes of leaked data that surfaced online around the same time as the alleged hack concurred that the information seemed to have been sourced from Gravy. Marley Smith, the principal threat researcher at cyber intelligence company RedSense, affirmed, “It passes the smell test 100 percent.” Likewise, John Hammond from cybersecurity firm Huntress echoed a similar sentiment, stating, “It all seems to point to it being legitimate.”
Gravy was one of the two companies ensnared in a recent enforcement action by President Joe Biden’s administration targeting brokers specializing in leveraging cellular data to furnish highly detailed information about individuals’ whereabouts at any given time. This data can be utilized for personalized online advertisements or deployed for surveillance purposes by government entities and corporations. The Federal Trade Commission voiced apprehensions that it could facilitate activities such as stalking, blackmail, and espionage.
In December, the FTC reached a settlement with Gravy and another broker, Mobilewalla, after both were accused of engaging in deceptive practices by collecting location data without obtaining proper consent. The FTC refrained from commenting on the alleged breach. However, in a statement issued last month, FTC Chair Lina Khan underscored the vulnerabilities of Americans’ sensitive data in the multi-billion-dollar targeted advertising industry. The statement highlighted the heightened exposure of such data to potential risks.