07. 01. 2025 Massimo Giaimo Threat Intelligence

Gravy Analytics breached (to be confirmed)

WARNING: This post is constantly updated based on new evidence related to the data breach.

The famous company Gravy Analytics seems to have suffered an attack. In fact, inside the XSS forum, a post was published, on Sunday night by the user nightly, reporting some evidence of what appears to be a really important exfiltration. The Threat Actor claims to have exfiltrated about 17TB of data.

What is Gravy Analytics?

Gravy Analytics is a location intelligence company that specializes in providing insights and analytics based on location data. The company collects anonymized location signals from mobile devices and uses this data to help businesses understand consumer behavior, improve decision-making, and optimize their operations.

Controversies

Last December, Gravy Analytics and its subsidiary Venntel Inc. was accused by the Federal Trade Commission of improperly handling data collected by its services.

The FTC’s complaint alleges that Gravy Analytics and Venntel violated the FTC Act by unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.

According to the complaint, Gravy Analytics continued to use consumers’ location data after learning that consumers didn’t provide informed consent. Gravy Analytics also unfairly sold sensitive characteristics, like health or medical decisions, political activities and religious viewpoints, derived from consumers’ location data.

What does the exfiltrated data contain?

The attacker claims to have exfiltrated data such as ip, bssid, email, user agent, profiles.

Sample Sharing

Today, January 7th, Threat Actor updated the post on XSS forum, sharing 3 different sample archives, for a total of about 1.4GB of data. Inside these archives there are about 1600 files (most of them, about 1560, in the first archive).

Sample Archives Detail

Although still being analyzed, the content of the archives seems to confirm that the data breach occurred, but it is not clear when this happened and it could be data exfiltrated in the past. In addition to the data of users profiled by the Gravity Analytics platform, there are also the clients of the platform itself, including other important marketing and data analytics companies.

Update 08/01/2025

I analyzed part (the part* files and the partneruser_db file) of the data shared by TA nightly on XSS forum.

Some of the numbers related to localization activities:
13473 applications
396115 ip
3317 organizations
43586 locations
11 countries

Some of the numbers related to the information found inside the partneruser_db file:
330543 email accounts

Update 09/01/2025

Another interesting piece of information concerns the geographic coordinates of a series of US military bases. Here is the list:

  • Marine Corps Base Camp Lejeune
  • Tyndall Air Force Base
  • Vandenberg Air Force Base
  • NAS Pensacola FL
  • Webster Field
  • Point of Marsh Target
  • Marine Corps Air Station Cherry Point
  • Marine Corps Air Station New River
  • Eareckson Air Force Station
  • Anniston Army Depot

In addition to the American ones, the geographical coordinates of some Iranian and Yemeni military bases are present.

In addition to this, other relevant data such as geographic coordinates of airports, hospitals, oil terminals, refineries, telephone cells, contacts of penitentiary institutions and less relevant data such as geographic coordinates of shops and restaurants.

Another important update concerns the status of the post on XSS forum. TA nightly has temporarily hidden the content of the post (until tomorrow, January 10th). Maybe there is a negotiation going on?

Update 10/01/2025

The nightly post on XSS forum has been completely removed. One can only speculate about this. It could be that there was a negotiation between the Threat Actor and Gravy Analytics and an agreement was reached to avoid publishing the entire data breach.

Website down

At the time of writing this article, the Gravy Analytics website is returning a terse http 503 error.

Massimo Giaimo

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix and Threat Intelligence Team Leader at Würth Group

Author

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix and Threat Intelligence Team Leader at Würth Group

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive