Top 11 Worst Location Data Privacy Breaches

by Stephen Schroeder - Sep 25, 2017 Category: Family
GPS Tracking for Employees and Business

Free Premium Business Account:

Take our quick 5 question survey and get a premium Business Account free for 3 months and 50% off for life in appreciation for your early adopter interest in Turtler.

GET FREE BUSINESS ACCOUNT

Although we think our data is safe, we often give chunks of it away to third parties without the proper knowledge of how that information is stored and used. And we also don’t have a clue about the most important thing of all, how do companies keep our data safe. In most cases, it was discovered that our data isn’t as safe as we thought. Just look at Yahoo, and the company’s two massive data leaks; back in 2013 and, 2014 more than 1.5 billion user accounts were affected by all kinds of personal data being compromised. Users’ real names, passwords, email addresses, dates of birth, and telephone numbers were stolen, making the breach the biggest one in history.

Other huge data breaches happened during the age of the internet, but we won’t talk about them all today. Instead, we’ll focus on the potentially most dangerous form of private data breaches, location data leaks. While knowing your name, password, email address, or credit card information can give hackers valuable tools to make a mess out of your life; you can avoid all the fuss if notified in time. Passwords can be changed, you can make a new email address, or activate two-step verification that can protect your account even if someone knows your password, and you can quickly cancel your credit card. Your name doesn’t mean much without a database (public, or a third party like bank’s client register) from which someone can get additional information, and those are pretty hard to steal.

But by having data about your location, especially about your home address, can really be dangerous. We can’t just change our address on a whim; that's pretty much impossible for the majority of the population. And what if the data contains our real-time location info, meaning that someone, with the right clearance, can track us during our daily routine?

Location Data Privacy Breach Risks
..
Location Data Privacy Breach Risks

We want to show you some of the biggest location data breaches in order for you to realize that many companies (some of them pretty big and famous) didn’t incorporate high enough security measures resulting in their users’ data being stolen without any major problems. We also want to show you that, sometimes, a company who has access to your location data can use it for tracking you or even use your private data to make profits.

1. Security Researchers Discover a Massive GPS Tracker Data Leak

The first case on the list is the most recent one. Just a couple of days ago security researchers working for Kromtech discovered that more than 540,000 GPS tracker devices’ data, stored on Amazon’s S3 cloud storage service, can be freely accessed online because of inadequate security measures.

The S3 “bucket” on which the data was stored wasn’t properly secured resulting in a massive data leak. Leaked records include tracker’s IMEI number, usernames, passwords and email addresses associated with trackers, license plates of vehicles on which trackers were installed, along with complete GPS data logs.

In other words, if your vehicle has a GPS tracker (the model wasn’t mentioned, but it is known it was used by more than 400 dealerships) affected by the breach, chances are someone could just access the cloud storage and see everything about your vehicle, including full route logs. Yup, they can see your vehicle’s complete location history. A perfect example of how cloud storage is vulnerable without proper security measures.

2. Grindr’s Poor Security

If you haven’t heard about it yet, Grindr is a highly popular adult dating site for gay men. And while it doesn’t seem like an app like Grindr could be a victim of a security breach, the truth is completely opposite.

You see, the app connects users by matching their location, which means it uses users’ exact location in order to work. The app promises its users absolute security and privacy, but one experiment discovered that Grindr could potentially be hacked and all location data could be viewed and users could get stalked.

You see, the app features algorithms capable of finding nearby users by using their location. When you open the app, it will show you a list of users, with first places on the list taken by users who are closest to you. You can decide to blur your location in settings, but Grindr will still use it when determining your distance to other users.

Now, this distance-measuring feature can be used to pinpoint any user on a map by way of trilateration. A hacker or, in this case, a security expert that found the weakness, can use an apps proximity algorithm and determine the exact location of any user by combining the distance measurement from three points surrounding them.

This means that if you use an app like Grindr (a dating app based on user’s proximity to others) your location can be easily found and shared with others. And by your location, we mean your exact location, down to a foot or so. This just shows that app relying on user location must incorporate high-security measure if they want to their user base’s privacy data be safe.

And worst, of all, even when some apps incorporated new security measures, experts were still able to pinpoint user’s location. All they need was more time to do it.

3. mSpy Hack

mSpy is a monitoring app, so to speak, which offers variety of services including location tracking. It is advertised as a platform for parents to monitor their children’s activity on a smartphones and PCs, but it does invade children privacy a bit too much.

Aside from location tracking, mSpy offers call log, SMS, WhatsApp, email tracking along with many more features that can help you to completely oversee your kid(s) 24/7. The company behind the service keeps terabytes of highly private data on its servers, such as text conversations and recorded phone calls, as well as images, location tracking data, and more.

Even though mSpy handled, and still handles extremely sensitive data, they were hacked and a couple of hundreds of gigabytes of data was stolen.  The entire database ended on Tor-based server from which it could be downloaded from any computer.

The hack happened in 2015 and really shook the tech community. Not only hackers managed to, quite easy, access mSpy’s servers they also found all data there to be free to grab, not utilizing any form of encryption. Poor security along with the absence of any end-to-end encryption based protection lead to a massive data breach that included location tracking, photos, email threads, and other form of highly sensitive data.

It is important to enable your users an end-to-end encryption if any form of sensitive information and data is used, or generated with your app or service. Since no server is impenetrable these days, it’s better to offer your users privacy, than to believe you won’t end being hacked.

4. Sprint Giving GPS Data to Feds

Back when location sharing apps weren’t a thing and when Google, as well as most social networks,  didn’t follow you around wherever you go, location data was, and still is, in the hands of network operators. If you own a smartphone with a GPS, your operator can get your exact location.

And this shows just how our private data is vulnerable. Our location is known at all times. And when some government agency, like the FBI, asks for the GPS data, operators should only give it when there’s a justifiable cause behind the demand. But, between September 2008 and October 2009, Sprint provided location data to various government agencies more than 8 million times.

That’s a lot, and while all companies in the business will share your location data with the police, and with third-party companies (but in anonymous form), the sheer number of requests is astonishing. Your location isn’t private; it will “leak” either to the police or ad companies.

5. Accuweather Sharing Geolocation Data with a Third-Party Firm

While you are reading this, your location is accessed by at least couple of apps on your phone. Social networks, apps like Uber, any app that offers location-based services, and many games ask for your location.

And while it is possible to not give them access, by doing this you will just prevent them from installing on your device. Ending up without a possibility to use an app, which could be problematic since most of us have a couple of apps we use on a daily basis, and can’t think about living without them.

One of the most popular app group used on most smartphones today is weather apps. They come in all shapes and sizes, you have minimal ones that show you just temperature and a couple more weather details, and you also have advanced ones which offer tons of features.

Accuweather Location Data Leaks
..
AccuWeather Location Data Leaks

And all of them need your location in order to provide you with accurate weather details – especially today when users can report local weather and when more and more apps offer local weather details and need your location to send you data from your nearest weather station.

Yes, there’s an option of manually selecting your location (usually by searching for it inside the app), but even by doing that, your location will be tracked. You probably noticed, if ever manually selecting your location, that it gets updated once you arrive in a different city.

And one of the most popular weather apps is AccuWeather, an app and a service that offers lots of various options and fairly accurate weather forecast. As with most other similar apps, AccuWeather needs your location details, in order to show you the most accurate forecast. But, it seems the app is using your location data even when you turn off access to your device’s precise location.

Will Strafach, a security researcher, managed to tap into the traffic stream from a device running AccuWeather and found out that the app would send device location data to a third-party firm. The company the data was sent to is called Reveal Mobile, and it monetizes on user location. In other words, it sells location data to ad companies.

Now, Accuweather sent precise location if users enabled it (along with speed and altitude), but if that wasn’t the case, the app would send the Wi-Fi router name and its unique MAC address, which can be used to pinpoint users’ coordinates. All you need is router’s MAC address and public data, and you can discover down-to-the-meter precise coordinates of a specified user.

Another massive location data leak that shows how we can’t actually control when and how our location data is used. Instead of apologizing for sharing their users’ private data, Accuweather explained how the data is anonymized but the company did state that In the future, AccuWeather plans to use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers."

If you use Accuweather, you better find an alternative. Even when you disable precise location, your location data will be sent to a third party firm. And discovering your coordinates is easy as pie. By using public data, along with the MAC address of router you’re connected to, someone could find you anywhere in the world in just a few minutes.

If you ask location permissions for your users, make sure the data isn’t misused, as is the case here. And make sure all info you collect from users is encrypted. This isn’t the case with AccuWeather. Yes, the app disabled data collection (but only when a user opts-out of location sharing), but selling private data to a third-party should be reason enough to stop using the weather app.

6. McDonald’s India Leaking User Location Data

McDonald’s, probably the most famous fast food company in the world, started to do home delivery during the 90’s. And while ordering food before the smartphone era was secure and anonymous, most delivery services these days ask for your precise location in order to show you restaurants near you and to give you faster delivery.

But that means they should also protect users from potential data leaks by incorporating high-security measures, and that isn’t always the case. Earlier this year, one payments company discovered a leaky API inside a McDelivery mobile app that uncovered many forms of private data of the app’s users.

The McDelivery leak disclosed home addresses and even exact coordinates of 2.2 million users
..

This all happened in India, ultimately exposing private data of more than 2.2 million users, which is highly disturbing. While their payment details weren’t accessible, the flaw did disclose home addresses, and even exact coordinates of users, on top of showing phone numbers, names, email addresses, and social media profiles.

In other words, the data used by the app wasn’t secure, and it could be accessed by third-party subjects. This again shows how weak security measures could lead to location data leaks. McDonald’s reassured its India users by stating that “our website and app does not store any sensitive financial information about users like credit card details, wallets passwords or bank account information,” and that "The website and app has always been safe to use."

But leaking users’ exact locations, their home addresses, phone numbers, and names isn’t really making the McDelivery  app “safe to use.” Again, if you want your location to be private do not use poor security services.

7. Runkeeper Sharing Location Data with Third Parties

You’ve probably heard about Runkeeper. The app provides fitness and location tracking services. It tracks your runs, and basically your every movement and helps you get, and stay, in shape. But it also sends your location data to third-party firms (in other words advertising companies) all of the time.

Last year, the Norwegian Consumer Council did a survey and found out that a couple of apps breach European data protection law, that should ensure your private data stays private. But the Council found out that Runkeeper “requests unreasonably wide-ranging permissions compared with the access actually needed to deliver the service … we fail to see a need for obtaining such location information for functionality purposes and would ask whether this is in line with the rules of purpose limitation.

Runkeeper stores your data (location data, movement data, and other personal data) even after you uninstall the app from your phone.
..

And, even worse, it seems Runkeeper stores your data (location data, movement data, and other personal data) even after you uninstall the app from your phone. Hell, they store your data even when you close your Runkeeper account, which is really concerning. That means that, even if you just wanted to check it out, the app will record your movements and will store them long after you decide Runkeeper isn’t for you. Your private data isn’t private anymore. If an app decides it needs your location, it will track it and even store it for later use.

The good thing about this case is that it seems the data is secure. The sad thing is that you are being tracked and that info is sent to third-party firms so that they can show you highly relevant ads based on your location. If you want to use an app that tracks your location, make sure it doesn’t send it to third-party firms.

8. Foursquare Publishing Users’ Location Data Online

Back when it appeared, Foursquare was huge. It was the first location sharing app that succeeded on a massive scale and while we have seen how the company transformed, becoming more of a recommendation and shop platform than a location sharing service, back then it was the most popular social location sharing platform. And it had lousy security.

Famous check-ins were extremely attractive, and the app had millions of users sharing their location, with their friends but a simple security flaw made location data public, publishing all users’ location data online. Yup, you could basically see check-in locations of all Foursquare users. The flaw was found by a white-hat hacker, and it was fixed by Foursquare shortly after the news hit the web. Simply, the app showed all users’ location publicly, even if a user opted out of the public location broadcasts.

The Foursquare location leak was one of the first massive scale location data leaks that showed how our private location data could be easily accessed if not for strong security measures.
..

The Foursquare location leak was one of the first massive scale location data leaks that showed how our private location data could be easily accessed if not for strong security measures. Foursquare simply didn’t take the privacy of its users seriously, resulting in a massive scandal. This showed why our private location data should stay private, and how we should have control over our privacy settings.

9. Uber and Post Trip Tracking

Uber is a great service, so long if you’re not owning a cab or have a taxi company. The startup allowed any person with a car to earn extra money by driving people, but at the same time, it hurt taxi businesses by introducing a way to get a fare cheaper and more conveniently. But the company tried to exploit their users with background location tracking feature.

In late 2016 Uber introduced a controversial feature that enabled the app to collect location data from its users at all times. Basically, if you had the app installed on your mobile device, it would track you during a ride, and for five minutes after you reach your destination. And that’s just wrong. Although Uber stated they are doing this in order to improve their service, location tracking could give them much more info.

They could find out your daily routes, which way you go after a fare and your habits just by following you around in background. The story ended with Uber agreeing to encrypt user location data while it is sent to Uber’s servers, and while it is moved between them. After a while, the company introduced a way to prevent your location from being tracked, but if you decide to opt-out, you have to manually enter pick up and drop off locations, which isn’t really handy if you use the service on a daily basis.

And this isn’t the first time the company was involved in malpractice regarding user data. Some employees used the data to track ex-girlfriends and boyfriends, as well as some celebrities, the company’s officials tracked journalists, and the company is known for its poor security practices regarding private data. The Uber background data collection shows what could go wrong if a service that has access to location data decides to take advantage of it without notifying its users.

10. Snapchat’s Poor Security Practices

Snapchat is extremely popular, it introduced a new way to chat with self-erasing messages, but the app was in the center of many security concerns. Back in 2014, more than 4.6 million Snapchat users were affected by a data breach, exposing their usernames and numbers, as well as their locations. The hack was one of the biggest data leaks to date, but that isn’t all.

During 2016 Snapchat got scammed when a hacker impersonated the company’s CEO, ultimately getting payroll data for many employees, current and former, which lead to the company improving its security practices. But with the release of Snap Map, the social feature showing all of your Snapchat friends’ locations on a digital map, things became much worse.

The problem is that the app isn’t a full social network, thus leading to many users having Snapchat friends they have never seen or meet in person. And when you combine Snap Map with having many friends you never actually met, you have a big issue.

Snap Map can be great, but it can also be a huge security risk. Your private location data can be seen by anyone you befriended on Snapchat because the company didn’t explained users their location is shared automatically on Snap Map every time they open the app. This lead to many users being unaware their precise location (in the form of a Bitmoji shown on a map) is shared with everyone.

Since the app is highly popular among teenagers, this led to a huge backfire on the web. Kids and teens aren’t informed about how sharing their location online can endanger them. There are many fake Snapchat accounts, and if a child has these accounts as “friends,” they could access their location with ease, just by opening the app.

And sharing location can be a problem with adults, too. We don’t really like for our location to be visible to all at all times, and that’s exactly happening every time we open Snapchat. Fortunately, you can enable “Ghost Mode” and disappear from Snap Map, but location sharing is turned on by default. If someone isn’t well informed about the feature (and most kids and teenagers don’t know much about location sharing and privacy), they won’t know they will be visible to everyone.

Snapchat’s Snap Map and the fact it is enabled by default can be misused in many ways. You can follow your friends; even those you never met; ill-intended individuals can stalk children, or worse. All that because one service isn’t transparent regarding its features. If you use Snapchat, enable Ghost Mode, it will keep you safe, and no one will know where are you every time you enter the app.

11. An App That Reveals Tinder Users’ Locations

We started with a dating app, and we finish this list with a dating app, the most famous app of them all. You heard about Tinder, and you probably know the app finds potential matches by their vicinity to your location. And a couple of years ago, security researchers found that every Tinder user’s location could be easily discovered.

The app, called Tinderfinder was able to pinpoint each and every user on a map, showing their exact location. It did that by exploiting a massive flaw in Tinder’s security. You see, the app stated that its user’s location data was encrypted at all times, except it was not.

The app sent user location to every smartphone with Tinder installed, and the data didn’t include any encryption technique. This made Tinderfinder to pinpoint any user on map by simply triangulating their position based on the data available on every smartphone running the app. This showed how our location data must be encrypted and how location sharing apps and apps that user location sharing for their services must have the highest level of security because they deal with extremely private data that shouldn’t be available to everyone.

Conclusion

We live in a connected world, and that means big companies will track your location, whether you like it or not. For instance, Google is doing this constantly. You can pause location tracking, but it will continue after a while. Just go to your location history, and you can see your movements in high detail.

Big retail stores also track our movement, and the only thing we can do to prevent this is not to enter big retail stores, since the moment we enter we practically give them consent to track us. Further, more and more mobile apps track their users, but most of them encrypt the data and do not sell it to advertisers. Even fitness trackers spill location tracking data since most of them have very weak security features.

If you want to stay hidden and your location data to remain private, always check if the app you want to install tracks your location. Never install apps known for their poor security, and if you want to use a location sharing app make sure it features end-to-end encryption. But Google, Facebook, Snapchat, and out mobile carriers will continue to track our data, meaning that location tracking will never disappear. We can only hope they know what they are doing and that they incorporate powerful security features that keep our location data safe and sound.