Some of the world’s most popular apps have likely been co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a company of location data whose subsidiary previously sold global location data to US law enforcement.

Thousands of apps, included in the hacked files from location data company Gravy Analytics, will include everything from games like Candy Crush and dating apps like Tinder to track pregnancy and religious prayer apps on Android and iOS. Because most of the collection happens through the advertising ecosystem—not code created by the app creators themselves—this data collection is likely to happen without the knowledge of users or even app developers.

“For the first time publicly, we appear to have proof that one of the largest data brokers selling to commercial and government clients appears to be getting its data from the online advertising ‘bid stream,'” rather than the code -embed in the apps themselves. , Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who closely follows the location data industry, told 404 Media after reviewing some of the data.

The data provides a unique look inside the world of real-time bidding (RTB). Historically, location data companies paid app developers to include code bundles that collect location data on their users. Many companies instead turn to search location information through the advertising ecosystemwhere companies bid to place ads within apps. But a side effect is that data brokers can listen to that process and harvest the location of people’s cellphones.

“This is a terrible scenario for privacy, because not only did this data breach contain data taken from RTB systems, but there are some companies out there acting like a global honey badger , which does whatever it wants with every piece of data that comes its way,” Edwards said.

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices within the US, Russia, and Europe. Some of the files also reference an app next to each piece of location data. 404 Media takes the app names and builds a list of mentioned apps.

The list includes dating sites Tinder and Grindr; big games like Candy Crush, Temple Run, Subway Surfersand Harry Potter: Puzzles and Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with over 10 million downloads; popular fitness app MyFitness Pro; social network Tumblr; Yahoo email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions many religion-oriented apps such as Muslim prayer and Christian Bible applications, various pregnancy trackers, and several VPN applications, which some users may download. , in fact, in an attempt to protect their privacy.

See the complete list HERE. Many security researchers preached other lists of apps that include data, which vary in size. Our version is bigger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app with slight name variations to make it easier​​​​​​​​​for readers the search for the apps they have installed.

Although this data comes from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or from another company, or which location company owns it or is licensed by use it.