In early 2025, hackers managed to steal location data from millions of users by breaking into a data broker that collects location data from thousands of apps via advertising networks and real-time bidding systems. This data, originating from apps like Candy Crush, Tinder, and many others, was seized and posted online.
For companies that programmatically purchase advertising space, this incident illustrates how complex the supply chain of mobile data and advertising technology actually is and how vulnerable this chain can be to cyber incidents.
How location data ends up in the advertising chain
Many free apps generate revenue through advertising. For this purpose, user data, such as behavior, demographics, and location, is collected and passed on within a network of technology partners, including advertising networks, data vendors, and real-time bidding platforms. This data is used to make advertisements more relevant and to optimize campaigns.
Important for advertising buyers:
- The data you use to target bids often does not come directly from the app developer, but through third parties in the advertising chain.
- This chain consists of technology providers, DSPs (Demand-Side Platforms), SSPs (Supply-Side Platforms), data brokers, and networks that distribute and trade real-time data.
If one party in this chain is compromised, such as a data broker, it can introduce risks for everyone who relies on that data for advertising purposes.
Supply chain risks for advertising buyers
Unknown data flows
Much of the location data that is sold is not transparently collected by the app developers themselves, but through advertising ecosystems without them or the end users being aware of it. If those ecosystems are hacked, all data involved is exposed.
Reputational risk through indirect involvement
When a data supplier or advertising technology partner has a breach, the data that advertising buyers use may contain sensitive information that reveals more than intended. For example, location data can track where people live, work, or which healthcare institutions they visit, information that users consider private.
Regulatory and compliance risks
In the European context, strict privacy rules such as the GDPR apply. Even if a company complies with data suppliers on paper, a data leak or unauthorized data collection at an external partner can cause compliance problems, such as fines or sanctions due to a lack of control over third parties.
For advertisers and buyers: lessons from the hack
1. Map your data supply chain
Make sure you know which partners are involved in collecting, processing, and delivering the data you use for your programmatic campaigns. This helps to identify risks before they lead to problems.
2. Ask for transparency from data suppliers
Ask partners for clear information about how and where data is collected, and how they ensure security and compliance. Not all data in real-time bidding system chains is equal; differences in sources mean differences in risk.
3. Actively monitor your suppliers
Cyber incidents at a data partner can directly affect your campaigns and target audience data. Active monitoring and audits are part of good risk management.
Conclusion
The recent hack of a data broker in which location data from users of popular apps was stolen shows how supply chain risks can be deeply embedded in the digital advertising chain, often in places where buyers themselves have little visibility. For companies that programmatically purchase advertising space, this means that effective risk analysis must go beyond the DSP, SSP, or data provider you work with directly. You need to understand and secure the entire chain.
Supply chain risks not only affect people’s privacy, but can also affect your advertising efficiency, compliance, and reputation if you rely on data that circulates through these complex ecosystems.
