{
	"id": "4eff2fb9-9006-4052-9fd2-96ed1253627e",
	"created_at": "2026-04-06T00:18:10.145381Z",
	"updated_at": "2026-04-10T03:22:08.687784Z",
	"deleted_at": null,
	"sha1_hash": "5b908a0c852244086c181213d556a460906e71e1",
	"title": "Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1856046,
	"plain_text": "Tracking Firm LocationSmart Leaked Location Data for\r\nCustomers of All Major U.S. Mobile Carriers Without Consent in\r\nReal Time Via Its Web Site\r\nPublished: 2018-05-19 · Archived: 2026-04-05 18:04:16 UTC\r\nLocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of\r\nmobile phone devices, has been leaking this information to anyone via a buggy component of its Web site —\r\nwithout the need for any password or other form of authentication or authorization — KrebsOnSecurity has\r\nlearned. The company took the vulnerable service offline early this afternoon after being contacted by\r\nKrebsOnSecurity, which verified that it could be used to reveal the location of any AT\u0026T, Sprint, T-Mobile or\r\nVerizon phone in the United States to an accuracy of within a few hundred yards.\r\nOn May 10, The New York Times broke the news that a different cell phone location tracking company called\r\nSecurus Technologies had been selling or giving away location data on customers of virtually any major mobile\r\nnetwork provider to a sheriff’s office in Mississippi County, Mo.\r\nOn May 15, ZDnet.com ran a piece saying that Securus was getting its data through an intermediary — Carlsbad,\r\nCA-based LocationSmart.\r\nWednesday afternoon Motherboard published another bombshell: A hacker had broken into the servers of Securus\r\nand stolen 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users.\r\nMost of the stolen credentials reportedly belonged to law enforcement officers across the country — stretching\r\nfrom 2011 up to this year.\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 1 of 8\n\nSeveral hours before the Motherboard story went live, KrebsOnSecurity heard from Robert Xiao, a security\r\nresearcher at Carnegie Mellon University who’d read the coverage of Securus and LocationSmart and had been\r\npoking around a demo tool that LocationSmart makes available on its Web site for potential customers to try out\r\nits mobile location technology.\r\nLocationSmart’s demo is a free service that allows anyone to see the approximate location of their own mobile\r\nphone, just by entering their name, email address and phone number into a form on the site. LocationSmart then\r\ntexts the phone number supplied by the user and requests permission to ping that device’s nearest cellular network\r\ntower.\r\nOnce that consent is obtained, LocationSmart texts the subscriber their approximate longitude and latitude,\r\nplotting the coordinates on a Google Street View map. [It also potentially collects and stores a great deal of\r\ntechnical data about your mobile device. For example, according to their privacy policy that information “may\r\ninclude, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi\r\naccess point, or IP address information”].\r\nBut according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed\r\nto perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of\r\nknowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct\r\nmobile number location lookups at will, all without ever having to supply a password or other credentials.\r\n“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone\r\ncould discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their\r\nconsent.”\r\nXiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to\r\na subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few\r\nminutes while that friend was moving and found he was then able to plug the coordinates into Google Maps and\r\ntrack the friend’s directional movement.\r\n“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one\r\nTelus Mobility mobile customer in Canada who volunteered to be found.\r\nBefore LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all\r\nof whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine\r\nwithin a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone\r\nbelonging to all five of my sources.\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 2 of 8\n\nLocationSmart’s demo page.\r\nOne of those sources said the longitude and latitude returned by Xiao’s queries came within 100 yards of their\r\nthen-current location. Another source said the location found by the researcher was 1.5 miles away from his\r\ncurrent location. The remaining three sources said the location returned for their phones was between\r\napproximately 1/5 to 1/3 of a mile at the time.\r\nReached for comment via phone, LocationSmart Founder and CEO Mario Proietti said the company was\r\ninvestigating.\r\n“We don’t give away data,” Proietti said. “We make it available for legitimate and authorized purposes. It’s based\r\non legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and\r\nwe’ll review all facts and look into them.”\r\nLocationSmart’s home page features the corporate logos of all four the major wireless providers, as well as\r\ncompanies like Google, Neustar, ThreatMetrix, and U.S. Cellular. The company says its technologies help\r\nbusinesses keep track of remote employees and corporate assets, and that it helps mobile advertisers and marketers\r\nserve consumers with “geo-relevant promotions.”\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 3 of 8\n\nLocationSmart’s home page lists many partners.\r\nIt’s not clear exactly how long LocationSmart has offered its demo service or for how long the service has been so\r\npermissive; this link from archive.org suggests it dates back to at least January 2017. This link from The Internet\r\nArchive suggests the service may have existed under a different company name — loc-aid.com — since mid-2011, but it’s unclear if that service used the same code. Loc-aid.com is one of four other sites hosted on the same\r\nserver as locationsmart.com, according to Domaintools.com.\r\nLocationSmart’s privacy policy says the company has security measures in place…”to protect our site from the\r\nloss or misuse of information that we have collected. Our servers are protected by firewalls and are physically\r\nlocated in secure data facilities to further increase security. While no computer is 100% safe from outside attacks,\r\nwe believe that the steps we have taken to protect your personal information drastically reduce the likelihood of\r\nsecurity problems to a level appropriate to the type of information involved.”\r\nBut these assurances may ring hollow to anyone with a cell phone who’s concerned about having their physical\r\nlocation revealed at any time. The component of LocationSmart’s Web site that can be abused to look up mobile\r\nlocation data at will is an insecure “application programming interface” or API — an interactive feature designed\r\nto display data in response to specific queries by Web site visitors.\r\nAlthough the LocationSmart’s demo page required users to consent to having their phone located by the\r\nservice, LocationSmart apparently did nothing to prevent or authenticate direct interaction with the API\r\nitself.\r\nAlthough the LocationSmart’s demo page required users to consent to having their phone located by the service,\r\nLocationSmart apparently did nothing to prevent or authenticate direct interaction with the API itself.\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 4 of 8\n\nAPI authentication weaknesses are not uncommon, but they can lead to the exposure of sensitive data on a great\r\nmany people in a short period of time. In April 2018, KrebsOnSecurity broke the story of an API at the Web site of\r\nfast-casual bakery chain PaneraBread.com that exposed the names, email and physical addresses, birthdays and\r\nlast four digits of credit cards on file for tens of millions of customers who’d signed up for an account at\r\nPaneraBread to order food online.\r\nIn a May 9 letter sent to the top four wireless carriers and to the U.S. Federal Communications Commission in\r\nthe wake of revelations about Securus’ alleged practices, Sen. Ron Wyden (D-Ore.) urged all parties to take\r\n“proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data.”\r\n“Securus informed my office that it purchases real-time location information on AT\u0026T’s customers — through a\r\nthird party location aggregator that has a commercial relationship with the major wireless carriers — and routinely\r\nshares that information with its government clients,” Wyden wrote. “This practice skirts wireless carrier’s legal\r\nobligation to be the sole conduit by which the government may conduct surveillance of Americans’ phone records,\r\nand needlessly exposes millions of Americans to potential abuse and unchecked surveillance by the government.”\r\nSecurus, which reportedly gets its cell phone location data from LocationSmart, told The New York Times that it\r\nrequires customers to upload a legal document — such as a warrant or affidavit — and to certify that the activity\r\nwas authorized. But in his letter, Wyden said “senior officials from Securus have confirmed to my office that it\r\nnever checks the legitimacy of those uploaded documents to determine whether they are in fact court orders and\r\nhas dismissed suggestions that it is obligated to do so.”\r\nSecurus did not respond to requests for comment.\r\nTHE CARRIERS RESPOND\r\nIt remains unclear what, if anything, AT\u0026T, Sprint, T-Mobile and Verizon plan to do about any of this. A third-party firm leaking customer location information not only would almost certainly violate each mobile providers\r\nown stated privacy policies, but the real-time exposure of this data poses serious privacy and security risks for\r\nvirtually all U.S. mobile customers (and perhaps beyond, although all my willing subjects were inside the United\r\nStates).\r\nNone of the major carriers would confirm or deny a formal business relationship with LocationSmart, despite\r\nLocationSmart listing them each by corporate logo on its Web site.\r\nAT\u0026T spokesperson Jim Greer said AT\u0026T does not permit the sharing of location information without customer\r\nconsent or a demand from law enforcement.\r\n“If we learn that a vendor does not adhere to our policy we will take appropriate action,” Greer said.\r\nT-Mobile referred me to their privacy policy, which says T-Mobile follows the “best practices” document (PDF)\r\nfor subscriber location data as laid out by the CTIA, the international association for the wireless\r\ntelecommunications industry.\r\nA T-Mobile spokesperson said that after receiving Sen. Wyden’s letter, the company quickly shut down any\r\ntransaction of customer location data to Securus and LocationSmart.\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 5 of 8\n\n“We take the privacy and security of our customers’ data very seriously,” the company said in a written statement.\r\n“We have addressed issues that were identified with Securus and LocationSmart to ensure that such issues were\r\nresolved and our customers’ information is protected. We continue to investigate this.”\r\nVerizon also referred me to their privacy policy.\r\nSprint officials shared the following statement:\r\n“Protecting our customers’ privacy and security is a top priority, and we are transparent about\r\nour Privacy Policy. To be clear, we do not share or sell consumers’ sensitive information to third parties.\r\nWe share personally identifiable geo-location information only with customer consent or in response to\r\na lawful request such as a validated court order from law enforcement.”\r\n“We will answer the questions raised in Sen. Wyden’s letter directly through appropriate channels.\r\nHowever, it is important to note that Sprint’s relationship with Securus does not include data sharing,\r\nand is limited to supporting efforts to curb unlawful use of contraband cellphones in correctional\r\nfacilities.”\r\nWHAT NOW?\r\nStephanie Lacambra, a staff attorney with the the nonprofit Electronic Frontier Foundation, said that wireless\r\ncustomers in the United States cannot opt out of location tracking by their own mobile providers. For starters,\r\ncarriers constantly use this information to provide more reliable service to the customers. Also, by law wireless\r\ncompanies need to be able to ascertain at any time the approximate location of a customer’s phone in order to\r\ncomply with emergency 911 regulations.\r\nBut unless and until Congress and federal regulators make it more clear how and whether customer location\r\ninformation can be shared with third-parties, mobile device customers may continue to have their location\r\ninformation potentially exposed by a host of third-party companies, Lacambra said.\r\n“This is precisely why we have lobbied so hard for robust privacy protections for location information,” she said.\r\n“It really should be only that law enforcement is required to get a warrant for this stuff, and that’s the rule we’ve\r\nbeen trying to push for.”\r\nChris Calabrese is vice president of the Center for Democracy \u0026 Technology, a policy think tank in Washington,\r\nD.C. Calabrese said the current rules about mobile subscriber location information are governed by the Electronic\r\nCommunications Privacy Act (ECPA), a law passed in 1986 that hasn’t been substantially updated since.\r\n“The law here is really out of date,” Calabrese said. “But I think any processes that involve going to third parties\r\nwho don’t verify that it’s a lawful or law enforcement request — and that don’t make sure the evidence behind\r\nthat request is legitimate — are hugely problematic and they’re major privacy violations.”\r\n“I would be very surprised if any mobile carrier doesn’t think location information should be treated sensitively,\r\nand I’m sure none of them want this information to be made public,” Calabrese continued. “My guess is the\r\ncarriers are going to come down hard on this, because it’s sort of their worst nightmare come true. We all know\r\nthat cell phones are portable tracking devices. There’s a sort of an implicit deal where we’re okay with it because\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 6 of 8\n\nwe get lots of benefits from it, but we all also assume this information should be protected. But when it isn’t, that\r\npresents a major problem and I think these examples would be a spur for some sort of legislative intervention if\r\nthey weren’t fixed very quickly.”\r\nFor his part, Xiao says we’re likely to see more leaks from location tracking companies like Securus and\r\nLocationSmart as long as the mobile carriers are providing third party companies any access to customer location\r\ninformation.\r\n“We’re going to continue to see breaches like this happen until access to this data can be much more tightly\r\ncontrolled,” he said.\r\nSen. Wyden issued a statement on Friday in response to this story:\r\n“This leak, coming only days after the lax security at Securus was exposed, demonstrates how little\r\ncompanies throughout the wireless ecosystem value Americans’ security. It represents a clear and\r\npresent danger, not just to privacy but to the financial and personal security of every American family.\r\nBecause they value profits above the privacy and safety of the Americans whose locations they traffic\r\nin, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic\r\nknowledge of websites to track the location of any American with a cell phone.”\r\n“The threats to Americans’ security are grave – a hacker could have used this site to know when you\r\nwere in your house so they would know when to rob it. A predator could have tracked your child’s cell\r\nphone to know when they were alone. The dangers from LocationSmart and other companies are\r\nlimitless. If the FCC refuses to act after this revelation then future crimes against Americans will be the\r\ncommissioners’ heads.”\r\nSen. Mark Warner (D-Va.) also issued a statement:\r\n“This is one of many developments over the last year indicating that consumers are really in the dark on how their\r\ndata is being collected and used,” Sen. Warner said. “It’s more evidence that we need 21st century rules that put\r\nusers in the driver’s seat when it comes to the ways their data is used.”\r\nIn a statement provided to KrebsOnSecurity on Friday, LocationSmart said:\r\n“LocationSmart provides an enterprise mobility platform that strives to bring secure operational\r\nefficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform\r\nrelies on consent first being received from the individual subscriber. The vulnerability of the consent\r\nmechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has\r\nbeen resolved and the demo has been disabled. We have further confirmed that the vulnerability was not\r\nexploited prior to May 16th and did not result in any customer information being obtained without their\r\npermission.”\r\n“On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the\r\nvulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located\r\nonly after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify\r\nthat not a single subscriber’s location was accessed without their consent and that no other\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 7 of 8\n\nvulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy\r\nand security measures and is incorporating what it has learned from this incident into that process.”\r\nIt’s not clear who LocationSmart considers “customers” in the phrase, “did not result in any customer information\r\nbeing obtained without their permission,” since anyone whose location was looked up through abuse of the\r\nservice’s buggy API could not fairly be considered a “customer.”\r\nUpdate, May 18, 11:31 AM ET: Added comments from Sens. Wyden and Warner, as well as updated statements\r\nfrom LocationSmart and T-Mobile.\r\nSource: https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-i\r\nn-real-time-via-its-web-site/\r\nhttps://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/"
	],
	"report_names": [
		"tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site"
	],
	"threat_actors": [],
	"ts_created_at": 1775434690,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b908a0c852244086c181213d556a460906e71e1.pdf",
		"text": "https://archive.orkl.eu/5b908a0c852244086c181213d556a460906e71e1.txt",
		"img": "https://archive.orkl.eu/5b908a0c852244086c181213d556a460906e71e1.jpg"
	}
}