Almost as if having GDPR to keep at least the worst of the data-brokering/selling industry out is a good thing.
The more detailed report someone posted does sound like this was hacked at the source, but a lot of the data can be bought legally on the open, not-even-too-grey market. Some journalists bought one of the location data sets and used it to demonstrate that you can identify intelligence agency employees from it (if someone spends almost every workday at one site belonging to the agency, occasionally visits the other one... the other place that "anonymous" user spends a lot of time at is likely the home of an intelligence agency employee).
If the industry wasn't selling it to anyone who asks, they'd still likely keep it in easily hacked places.
The more detailed report someone posted does sound like this was hacked at the source, but a lot of the data can be bought legally on the open, not-even-too-grey market. Some journalists bought one of the location data sets and used it to demonstrate that you can identify intelligence agency employees from it (if someone spends almost every workday at one site belonging to the agency, occasionally visits the other one... the other place that "anonymous" user spends a lot of time at is likely the home of an intelligence agency employee).
If the industry wasn't selling it to anyone who asks, they'd still likely keep it in easily hacked places.