Beware! Tinder and Candy Crush might be compromising user data. Here’s how you can protect your privacy.

In today’s digitally connected world, the value of smartphones largely lies in the variety of apps and games they support, with millions of people relying on them daily for communication, entertainment, and productivity. However, recent events have brought attention to popular apps like Candy Crush Saga and Tinder for data breaches.A report published by 404 Media on January 9, 2025, exposed a major data breach at Gravy Analytics, a leading location data broker. The breach raised alarm over how popular apps may be misusing users’ real-time location data. The breach revealed that well-known apps like Candy Crush Saga and Tinder had provided user location data to Gravy Analytics, which was then compromised by a hacker.

The breach involved terabytes of consumer data stored in the company’s Amazon cloud, marking one of the largest known collections of consumer location information. This incident underscores a troubling reality: user location data is not only being collected on a massive scale but it is also being sold and exposed to unauthorized third parties.

The hacker behind the breach has reportedly shared samples of the stolen data on a Russian forum, claiming to have extracted millions of location points from Gravy Analytics’ database. These points allegedly span locations across the United States, Europe, and even sensitive areas like the White House, the Kremlin, and military bases. The leaked dataset serves as a stark reminder of the vast scale of location tracking and the serious risks it poses to privacy and security. The breach also highlights how easily location data, including information from highly sensitive sites, can be exposed to unauthorized parties.

How does Gravy Analytics get its data?

Baptiste Robert, an ethical hacker shared on X about how Gravy Analytics gets its data. According to him, Gravy Analytics generally does not collect data directly from apps. Instead, it collaborates with ad-serving agencies or intermediaries that gain access to user data from Android and iOS devices. The fallout from this breach extends beyond personal privacy concerns, as the leaked data includes sensitive locations such as government facilities, religious sites, and private residences, raising the potential for espionage, blackmail, and other malicious activities.

How can you protect yourself?

To protect your privacy, take the following steps:

• On Android, go to Settings, then Privacy, and select Ads. From there, you can delete your advertising ID.
• On iOS, navigate to Settings, then Privacy & Security, and choose Tracking. Finally, disable the option that allows apps to request to track you.