Sorting by

×

Millions of Vinted, Spotify and Tinder users’ data could be compromised in global hack

Hackers are believed to have targeted a US company which brokers location data for thousands of popular apps

Millions of users of popular apps such as Vinted, Spotify, Candy Crush and Tinder may have had their sensitive location data stolen by an unknown hacker who has posted details on a Russian-language site popular with cyber-criminals.

In what is being treated as a major international data breach, it is being reported that hackers have targeted US company Gravy Analytics (GA) which brokers location data for thousands of popular apps.

It is estimated that some 20 million people in Britain would have used one of the apps affected although it is not known how many may have had their location data stolen. Experts fear this stolen data will also make it easier for criminals to scam individuals or potentially blackmail them.

Many companies collect customers’ locations when they use its app. This data is then sold either directly or indirectly to a company like GA which itself will then sell the data onto somebody else such as hedge funds, insurance firms, or Government agencies.

This breach presents a new level of risk for personal privacy, as the hack could potentially reveal not just the movements of individuals or their shopping and gaming habits but also the identities of people targeted by government and law enforcement agencies.

Alan Woodward, professor of cybersecurity at the University of Surrey said: “It’s the loss of privacy that should be of greatest concern. You can immediately see how location history or very recent location could be a great way of socially engineering someone in a scam for further unauthorised access.”

GA itself has been censored by the US authorities for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.

Vinted on App Store displayed on a phone screen and Vinted website displayed on a screen in the background are seen in this illustration photo taken in Krakow, Poland on January 19, 2023. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
Second-hand marketplace, Vinted, is thought to be one of the apps potentially impacted by the hack (Photo: NurPhoto/Getty)

As well as posting the location details of millions of users, the hacker also detailed the over 10,000 apps where the location data originated. It listed apps including Vinted, Spotify, Candy Crush, and dating app Tinder as examples.

A spokesperson for Vinted, one of the most popular online marketplaces for secondhand clothes in the world with 16 million users in Britain, said although it has no direct partnership with GA there is a potential for customers to be affected.

They said: “We are taking this matter seriously, as the safety of our members is a top priority. We are actively looking into the situation to determine whether our platform or members may have been affected, including any potential indirect impact through third parties. At this time, we do not have enough information to confirm any connection or impact.”

A post on the dark web earlier this month from an unknown hacker named “Nightly” claimed to have carried out the successful hack. The post was accompanied by a 1.4GB sample of the breach, thought to contain 10m records of location data app which cyber security experts have verified to have come from the company.

The hack, which is believed to be a blackmail attempt, is also thought to contain the GPS locations and IP addresses from millions of phones using popular apps and is understood to contain location histories of individuals, potentially spanning several years.

Attempts to verify the breach or its scale were problematic as Gravy’s website remained offline and the company did not respond to messages. However British security sources have confirmed that they are monitoring the situation to discover just how significant the breach is.

The i Paper has learned the hacker could have obtained upwards of 10 terabytes of data which is many thousands of times larger than what has already been released on the dark web. If true, it will represent one of the most significant hacks in recent history.

Accounts of millions of users based across the world, including the UK, are understood to have been impacted by the data theft.

The breach highlights the growing concern around mobile apps being able to track user’s locations. As part of a standard practice of data brokering, many popular apps constantly track users to generate data which can then be used by third parties to launch targeted marketing campaigns.

By agreeing terms and conditions surrounding various app’s data sharing with third parties, users’ data is then shared as part of such agreements. The US data broker, GA is based on the outskirts of Washington DC, and is known for selling smartphone location data to various customers including US Government agencies such as the Department of Homeland Security and the Federal Bureau of Investigations.

The firm also works with thousands of companies to hoover up location data and help clients understand the movements of their users for tailored advertising and marketing.

The practice has faced fierce criticism, and the US Federal Trade Commission (FTC) recently expressed concern that Gravy Analytics’ technology, in particular, could facilitate stalking, blackmail, and espionage.

Matt Gull, Global Head of Threat Intelligence and cyber security expert NCC Group, said: “For cybercriminals and nation-states alike, data is one of the key commodities in cyberattacks. In the event of a breach, malicious groups can exploit data not only for extortion but also to sell it on to other criminals, who can use it to commit further offences such as fraud and identity theft. This latest data breach at Gravy Analytics threatens to expose the location data of millions of users, underscoring the urgent need for robust data protection measures.”

Spotify, King Games – owner of Candy Crush, Tinder and have all been approached for comment. This newspaper attempted to reach GA, who’s website is currently down, but could not reach a representative for comment.

The Government’s National Cyber Security Centre (NCSC) was also approached for comment.

What is location data and how might the hack impact you?

By Chris Stokel-Walker

The hack of Gravy Analytics is a major development – but what is the data in question, and does it matter to us that it’s being traded?

What is location data?

The clue is in the name: it identifies you – or more accurately, your device’s – location. It can be obtained in different ways, said Alan Woodward, professor of cybersecurity at the University of Surrey. “The most obvious way is when location services are enabled on a mobile device,” he explained.

When an app asks for permission to use your data, for instance in the case of Vinted to find nearby sellers, and you grant permission to that app, you do so either for a single use, only while using the app, or permanently. “Some people give it access ongoing rather than just not when the app is in use,” said Woodward.

How is the data extracted?

Generally, this data is obtained by seeing where a mobile phone pings base stations on a phone network. When you travel around the country, within an area or inside a town or city, your mobile phone seeks out the nearest possible phone mast to obtain service. This can be triangulated to identify your movements.

The Information Commissioner’s Office, the UK data protection authority, officially classes only data obtained in this way as location data.

But phones can provide their location in other ways, such as from GPS signals, which is a radio signal transmitted from satellites orbiting the Earth that do something similar. Public wi-fi networks, and Bluetooth beacons, can also identify a phone’s location.

How is location data used?

Location data can be a boon for legitimate service providers. For many mobile food ordering apps, for instance, it can help identify when you’re in one branch of a pub or restaurant rather than another, or can be used by ridesharing and taxi services to pinpoint where exactly to pick you up. GPS location data is accurate to within around five metres.

It can also be used to tailor adverts or other services, said Woodward. “Some marketing companies do determine location, including inferring it from your browser and device when you access a site, and use this to target ads,” he explained.

Location data can be highly valuable to legitimate businesses, which is why firms like Gravy Analytics operate. One estimate valued the location data services industry at $21bn – a number only likely to have risen since. And if it’s of value to legitimate providers, it’ll be valuable to bad actors.

Who is most at risk of location data being hacked and sold or ransomed?

Anyone, in a word. “It’s the loss of privacy that should be of greatest concern,” said Woodward. “You can immediately see how location history or very recent location could be a great way of socially engineering someone in a scam for further unauthorised access.” If, for instance, a hacker can see that you’ve recently been to a bank or doctor’s office, they could then send you messages pretending to be that organisation, convincing you to hand over personal data.

How can you minimise your risks?

The simplest way is to be judicious about when, and to whom, you grant access to your location data. Many apps ask for vast volumes of information, because it allows them to build up a better picture of who you are, and therefore makes the information they hold about you more valuable to sell to advertisers.

But they don’t need that level of detail, and the improvements they offer individual users for handing over that data are minimal. So check within your phone’s settings which apps have location data permanently turned on, and switch them off – only allowing them access when utterly necessary.



Source link

Related Articles

Back to top button