A major data breach has compromised Gravy Analytics — a company that collects and sells smartphone location data — potentially exposing millions of users. Hackers claim to have stolen over 17 terabytes of sensitive data, including customer lists, industry insights, and precise location data of individuals’ movements.

The breach, first reported by 404 Media, has raised serious privacy concerns, as experts warn that the leaked information could be used for tracking, surveillance, and de-anonymization of users worldwide.

The hackers posted samples of the stolen data on a Russian cybercrime forum, claiming to have accessed Gravy Analytics’ cloud storage through a misappropriated Amazon Web Services (AWS) key. As reported by TechCrunch, the leaked data allegedly includes over 30 million location points linked to widely used apps such as Tinder, Candy Crush, MyFitnessPal, and Flightradar24.

Gravy Analytics and its subsidiary Venntel have previously sold location data to US government agencies, including the FBI, IRS, and Department of Homeland Security, according to NBC News. The Federal Trade Commission (FTC) had already banned Gravy Analytics and Venntel, accusing them of illegally collecting and selling location data without user consent.

Privacy advocates have long warned about the risks of data brokers operating without strict oversight. Cybersecurity expert Zach Edwards described the breach as the “nightmare scenario” that privacy advocates feared, telling 404 Media that the exposure of location data could seriously endanger high-risk individuals and organizations.

Following the breach, Gravy Analytics’ website went offline, and its parent company, Unacast, notified Norwegian and UK data protection authorities. Security researchers examining the leaked data confirmed that it contained sensitive locations, such as government buildings, military bases, and high-profile landmarks.

WIRED reported that the stolen dataset likely originated from the real-time bidding (RTB) advertising ecosystem, where advertisers bid to place ads inside apps. This process accidentally exposes user location data to brokers, often without app developers’ direct knowledge.

Privacy experts warn that this breach highlights the dangers of mass location tracking and the lack of strict data protection laws in the US.

Security professionals advise users to disable unnecessary location tracking, use ad blockers, and reset advertising IDs regularly to reduce their exposure. With the stolen data now circulating, millions of users face serious privacy risks. This adds to broader concerns about data security, with 97% of top US retailers also experiencing data breaches last year.