Millions of phone location records feared leaked as one of the biggest data leaks ever may be a whole lot worse

• Gravy Analytics is being sued for failing to protect personal data
• The suit comes after 17TB of records were allegedly stolen from the firm
• The hack on a data broker has sparked four lawsuits so far

A complaint has been filed in the federal court of Northern California outlining allegations that data broker Gravy Analytics has failed to properly safeguard vast amounts of personal data, which may now have been stolen.

This is the fourth such lawsuit since January 2025, when screenshots were posted to Russian cybercrime forum XSS fuelling fears that a staggering 17TB of records were swiped from the analytics firm’s AWS S3 storage buckets.

This breached information puts the privacy of millions at risk, and outlines the enormous risk when personal data is harvested and stored by private companies.

This week's suit alleges a huge archive of geo-locations from smartphone devices - here’s what we know so far.

Insufficient data protection

Arguing the firm had a duty to protect the data it collected and stored, the lawsuit points to the risk of identity theft for anyone whose information was compromised.

The latest complaint, reported by The Register, alleges "the hacked Gravy Analytics data included tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe, obtained through individuals’ use of major mobile applications such as Tinder, Grindr, Candy Crush [and more”.

The first breach was reported in early January 2025 after a hacker threatened to publish stolen location data, customer lists, and personal information harvested by Gravy Analytics and stolen in a huge hack.

Gravy Analytics has since been banned by the FTC from selling sensitive location data, alongside its subsidiary Venntel, after the FTC alleged the two violated the FTC Act by ‘unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.’

There are plenty of popular apps which collect your data, and often this is sold on to brokers for profit. Because a lot of this collection occurs through the ‘advertising ecosystem’ rather than a code the app creators themselves develop, this data collection is ‘likely happening without users’ or even app developers’ knowledge’.

The collection of personal information by the data broker industry comes with some serious risks and the industry is largely unregulated in the US, so the protections provided by laws like GDPR don’t apply.

The specific details of the hack aren't yet known, but keeping your organization safe is about anticipating and preparing for a potential attack, says Pierre Noel, Field CISO EMEA at Expel.

"The solutions to prevent a major security incident are well known- adequate protection, detection, and swift incident response. However, the real challenge lies in human nature: we instinctively believe cyberattacks only happen to others, rather than ourselves".

Take control of your data

If you regularly use the internet, unfortunately, it’s pretty likely that your information has fallen into the hands of a third party, whether it’s a company you use and gave permission to, appeared in a data breach, or whether it's been sold on legally to a broker.

“Data Privacy Day serves as a crucial reminder to safeguard sensitive information in an era where data dominates” comments Dr Ellison Anne Williams, CEO and founder of Enveil.

“As we navigate an increasingly interconnected world and transformative technologies such as AI grow their foothold in the digital economy, finding ways to protect data privacy and mitigate risk will be essential.”

Because of this, a market has opened up for the best personal data removal services, which can be a really powerful tool in helping you scrub you or your employees safe by removing your information from data brokers.

If you’re in the EU or UK and are protected by GDPR but still want to completely disappear your online persona - we still have some tricks for you.

The first is to delete your social media accounts. As much as you might enjoy scrolling, the Cambridge Analytica scandal told us that social media platforms have been used to harvest your data and map out your personal relationships and personality - so if you really value your privacy, the socials have to go.

Once those are gone, you’ll need to scour through your other accounts. Innocuous accounts like shopping sites or dating profiles will more than likely be monitoring your purchases or selling your demographic information, so removing these is also key. A great tip is to search your inbox for ‘sign-up’ or related phrases to get a reasonably accurate list to work from.

Going forward, staying anonymous online will be much easier with a Virtual Private Network (VPN). These essentially encrypt your internet traffic so that your browsing history isn’t recorded, and hides your IP address, so your location can’t be shared. We’ve listed the best VPN services to keep yourself safe.

You might also like

• Check out our list of the best firewall software around today
• Foh&Boh data leak leaves millions of CVs exposed - KFS, Taco Bell, Nordstrom applicants at risk
• We've also rounded up the best malware removal software on offer right now