Grindr shared personal, HIV and geolocation-related data with two of its third-party contractors without informing users, information security training researchers said.
As a way to make relationships safer, the gay flirting application Grindr allows users to share information about whether or not they are infected with HIV and the date of the last test. This data is extremely sensitive and private and serves to only inform future potential partners, but it turned out that Grindr was sharing this with two third-party contractors to optimize its algorithm.
This was revealed by an information security training researcher Antoine Pultier who works for a Norway based NGO Sintef. In a conversation, Pultier said that Grindr saved the data of over 3.6 million daily users and passed it on to Localytics and Apptimize, two of its third-party contractors.
According to Pultier, the shared data contained users’ HIV information, phone numbers, email addresses and geolocation making it not only easier for them to identify but locate them in real time. What’s worse is that some of the data was not even encrypted.
“The two companies, Apptimize and Localytics, which help optimize apps, receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date,” information security training professionals reported.
“Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status,” said Pultier.
In response to the allegations, chief technology officer at Grindr Scott Chen justified the practice of sharing data and wrote a post stating that data sharing with Localytics and Apptimize follows industry standards to “test and validate” app. He also claimed that the data was never sold to anyone.
The company also vows not to share HIV data with anyone outside the company. In a conversation with CNNMoney, the company said that “it has already deleted HIV data from Apptimize, and is in the process of removing it from Localytics.”
Nevertheless, Grindr users on social media are showing disappointment over the company’s secret data sharing tactics while some are even talking about completely removing the app from their devices since their location data is already in the hand of third parties, information security training analysts said.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.