Hackers have claimed to have breached Gravy Analytics, a prominent location intelligence company, and its subsidiary Venntel.
The attackers allege they have exfiltrated 17 terabytes of data, including sensitive customer information, industry insights, and smartphone location data that could reveal individuals’ precise movements.
This breach has sparked alarm over the potential misuse of such data and its implications for privacy. The hackers announced their claim on the XSS cybercrime forum, sharing samples of the stolen data totaling 1.4GB.
The leaked samples reportedly include historical smartphone location data with precise latitude and longitude coordinates, timestamps, and other sensitive details.
Screenshots posted by the attackers also suggest they gained root access to Gravy Analytics’ servers and control over its domains and Amazon S3 buckets, which are often used for large-scale data storage.
The hackers warned Gravy Analytics that they would begin publishing the stolen data if the company did not respond within 24 hours.
As of January 8, 2025, Gravy Analytics’ website remains offline, adding to speculation about the company’s response to the breach.
Gravy Analytics specializes in collecting and analyzing anonymized location signals from mobile devices to provide insights for businesses.
Its subsidiary Venntel has been known to sell location data to U.S. government agencies, including the Department of Homeland Security (DHS), Internal Revenue Service (IRS), and Federal Bureau of Investigation (FBI).
These agencies have used such data for various purposes, including immigration enforcement. However, Gravy Analytics has faced criticism for its data practices.
In December 2024, the Federal Trade Commission (FTC) accused Gravy Analytics and Venntel of violating consumer privacy laws by collecting and selling sensitive location data without obtaining proper user consent.
The FTC alleged that the companies continued using consumer data even after discovering that consent had not been granted.
They were also accused of selling information related to visits to sensitive locations such as healthcare facilities, religious sites, and political gatherings.
The potential fallout from this breach is immense. Experts warn that if the stolen bulk location data is sold on underground markets or made public, it could lead to severe privacy violations.
Researcher Baptiste Robert shared “hared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.”
He highlighted risks such as deanonymization of individuals and tracking high-risk targets like activists or journalists.
The leaked data could also expose sensitive personal details about individuals’ health decisions, political activities, or religious affiliations—information that could be exploited for discrimination or surveillance.
Furthermore, the breach underscores vulnerabilities in the location data industry, where companies collect vast amounts of personal information with limited oversight.
As investigations unfold, this incident may prompt renewed calls for stronger privacy protections and accountability in the data brokerage industry.
Meanwhile, individuals whose information may have been compromised face heightened risks of surveillance and exploitation in an increasingly interconnected digital world.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free