Thousands of apps, including Candy Crush, Tinder, and MyFitnessPal, have been compromised to track your location.

It has been revealed that some of the world's most popular applications are being exploited by certain unethical members of the advertising industry to collect sensitive location data on a massive scale. This data is being sold to a company that handles geolocated information, which has previously provided global data to law enforcement agencies in the United States. Among the thousands of compromised applications are games like Candy Crush and dating apps like Tinder, as well as pregnancy tracking tools and religious prayer apps, available on Android and iOS platforms.

The detailed analysis conducted by security experts has shown, for the first time, concrete evidence that one of the major data intermediaries, which sells to both commercial and government clients, is obtaining its information from real-time bidding (RTB) advertising, rather than from embedded codes within the applications. This suggests that data collection may be occurring without the knowledge of either the users or the app developers.

The report indicates that data collection in this context poses a serious privacy risk, as it not only involves a data breach but also highlights the irresponsibility of some entities handling this information. Among the leaked data are millions of coordinates from mobile phones located in the U.S., Russia, and Europe, some of which are linked to specific app names.

The list of affected applications includes dating platforms like Tinder and Grindr, major games like Candy Crush and Subway Surfers, as well as tools like Moovit and MyPeriod Calendar & Tracker. These applications are well-known and used by millions, amplifying concerns about user privacy. Despite requests for comments, many of the mentioned companies did not respond, and some, like Flightradar24 and Grindr, denied any knowledge of Gravy or having any relationship with the company.

Gravy, which plays a crucial role in the location data industry, compiles information from various sources, which it then markets to businesses and government agencies through its subsidiary Venntel. This data flow has come under scrutiny, as agencies such as the Immigration and Customs Enforcement and the FBI have been among its clients.

The fact that this data comes from the RTB process implies that there are responsible parties within the advertising industry that need to be identified and regulated. The situation is complicated considering that app developers may not be aware that their platforms are being used for data collection in this context. However, it is known that surveillance companies can access RTB data by partnering with advertising firms, which allows for the collection of information without the need to place specific ads.

With growing concerns about data collection and privacy practices, it is urgent that measures be taken to protect users and ensure transparency in the use of their personal information.