Recent reports allege that over 400,000 Life 360 customers have been impacted by an unauthorized leak.
What happened
In March 2024, a security flaw in Life360's login API led to the unauthorized access and leak of personal information from 442,519 customers. In the breach first detected by Hack Manac, a threat actor known only as 'emo' exploited this vulnerability, allowing them to verify and steal user data such as email addresses, names, and partially masked phone numbers. Hack Manac also referred to the threat actor as being tied to another large API-related breach experienced by Trello.
Although Life360 has since rectified the API issue, this breach coincided with another serious security incident involving their Tile customer support platform. In this separate but related breach, an attacker used stolen credentials from a former Tile employee to access multiple systems, scrape customer data, and manipulate device settings. Despite the extensive nature of these breaches, sensitive information such as credit card numbers, passwords, and location data were not compromised.
What was said
Hack Manac in an X post provided the following statement from the alleged threat actor: "When attempting to log in to a Life360 account on Android, the login endpoint would return the user's first name and phone number. This existed only in the API response and was not visible to the user. If a user had verified their phone number, it would instead be returned as a partial number like +1******4830. This endpoint no longer returns phone numbers and now a placeholder number is returned in the API response.”
In a statement related to the Tile breach CEO, Chris Hulls provided, “Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information. We promptly initiated an investigation into the potential incident and detected unauthorized access to a Tile customer support platform (but not our Tile service platform). The potentially impacted data consists of information such as names, addresses, email addresses, phone numbers, and Tile device identification numbers.”
Why it matters
Persistent threat actors like emo pose a relentless risk; they continuously probe systems to exploit vulnerabilities, often changing tactics to evade new security measures. This makes them formidable and challenging to combat. In digital communication, APIs enable different software systems to interact and exchange data. However, their very openness makes them vulnerable. APIs can expose sensitive information to the internet, turning them into attractive targets for hackers. If not properly secured, these interfaces can lead to data breaches, such as the one experienced by Life360 and Trello.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
A data breach is the unauthorized release or access of sensitive, protected, or confidential data.
What is unauthorized access?
Unauthorized access occurs when someone gains entry to a system or resource without permission.
Who are data breaches reported to?
Reporting depends on the sector, for example in healthcare breaches are reported to the HHS.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.