A threat actor has claimed to be selling a massive dataset of 7,687,248 Waze user records, raising serious privacy concerns for users of the popular navigation app. The dataset allegedly includes usernames, unique IDs, and real-time GPS locations, making it a potentially dangerous breach if verified.

Details of the Breach

According to reports, the data was advertised for sale on a dark web marketplace, where the seller claimed it contained sensitive user information from Waze, a Google-owned navigation app. The leaked records allegedly include:

• Usernames

• Unique User IDs

• GPS Location Data

• Travel History

The breach is particularly concerning as it could allow attackers to track users in real time, exposing them to security threats such as stalking, targeted attacks, or identity theft.

Security Concerns and Previous Warnings

This isn't the first time Waze has faced security scrutiny. Cybersecurity researcher Peter Gasper previously identified API vulnerabilities that could be exploited to track users' movements in real-time. While Google has reportedly patched some of these vulnerabilities, the latest claims suggest that Waze may still have major security flaws.

The ability to access real-time GPS data and unique identifiers raises significant concerns, as it could allow cybercriminals to trace user movements, monitor travel patterns, or even impersonate individuals for malicious purposes.

Potential Impact on Users

If the claims are verified, this breach could have severe privacy implications for Waze users globally. The exposure of real-time location data is especially dangerous as it could:

• Enable criminals to stalk or target individuals based on travel habits.

• Facilitate identity theft or phishing attacks using stolen account data.

• Allow hackers to interfere with navigation services, causing potential safety risks.

Given Waze’s reliance on crowdsourced data, the leak also raises concerns about whether other types of user-generated content (such as route preferences and shared reports) have been compromised.

What Waze Users Should Do?

While Google has not yet confirmed the breach, cybersecurity experts recommend that Waze users take precautionary measures to protect their personal data:

1. Change Waze Account Credentials: If the breach is verified, users should update their passwords immediately.

2. Review App Permissions: Disable location tracking when not in use.

3. Monitor Accounts for Suspicious Activity: Be wary of phishing emails or unusual login attempts.

4. Consider Using a VPN: This can add an extra layer of protection when using navigation services.

Waze’s Response and Next Steps

As of now, Google has not publicly addressed the alleged data breach. Cybersecurity experts are urging the company to conduct a thorough investigation and enhance API security protocols to prevent future leaks.

This incident underscores the growing risks of location-based apps and the need for stronger security measures to protect user data. If confirmed, this breach could lead to serious legal and regulatory repercussions for Waze and its parent company, Google.

For now, Waze users should remain cautious, limit the app’s data-sharing permissions, and stay updated on any official statements regarding this breach.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.