Tens of thousands of apps leak user data

Apps leak information to American data trading company, possibly without even the developers knowing.

Ove Kaufeldt

Published 15 January 2025 - 18:01

Sensitive information from tens of thousands of apps has leaked to the American data trading company Datastream Group, likely without the app developers' knowledge. This is reported by the publication Dagens Nyheter, which reports on a database containing both Swedish apps and information about Swedish private individuals.

The database, which represents a snapshot from a single day in July 2024, contains approximately 380 million registered positions from mobiles in 137 countries, including Sweden. The information has been collected from about 40,000 apps, including games, weather apps, and dating services.

Report: Exposed by Your Phone

The phone knows where you are. It knows what you write and to whom. The phone also knows things you didn't know about yourself. Do you know what your mobile can reveal about you?

The leaked information varies in detail. Some positions are at the GPS level, which means that individuals' movement patterns can be followed in detail. Other data is based on IP addresses, which provide less precise positions but can reveal cities, neighborhoods, or foreign travel. The database also contains unique ID numbers for advertising, which enables cross-referencing with other databases and potential identification of individuals. Over 12,000 such ID numbers can be linked to Sweden.

Among the apps are some of the world's most popular, such as the messaging service Kik, the Swedish-developed game Candy Crush Saga, and Flightradar24, an app for tracking air traffic. Apps that handle sensitive information, including health data, dating for sexual minorities, and religion-related services, are also represented.

Several of the companies behind these apps state that they have no business relationship with Datastream Group and question how the company gained access to their user data. Candy Crush Saga, developed by Stockholm-based King, reportedly only has less detailed positions based on IP addresses in the database.

How the information was collected is still unclear. However, much points to the possibility that data may have been extracted via advertisements displayed in the apps. When the apps connect to advanced advertising systems, personal information about the users is sent, which seems to have become a commodity without the app developers' or users' knowledge.