Security and placement companies firm Life360 says it was the goal of an extortion try after a risk actor breached and stole delicate data from a Tile buyer assist platform.
Life360 gives real-time location monitoring, crash detection, and emergency roadside help companies to greater than 66 million members worldwide. In December 2021, it acquired Bluetooth monitoring service supplier Tile in a $205 million deal.
On Wednesday, Life360 revealed that an attacker breached a Tile buyer assist platform and gained entry to names, addresses, e-mail addresses, cellphone numbers, and machine identification numbers.
“Just like many different corporations, Life360 not too long ago grew to become the sufferer of a legal extortion try. We obtained emails from an unknown actor claiming to own Tile buyer data,” Life360 CEO Chris Hulls stated.
The uncovered knowledge “doesn’t embody extra delicate data, similar to bank card numbers, passwords or log-in credentials, location knowledge, or government-issued identification numbers, as a result of the Tile buyer assist platform didn’t comprise these data sorts,” Hulls added.
“We imagine this incident was restricted to the precise Tile buyer assist knowledge described above and isn’t extra widespread.”
Breached utilizing stolen credentials
Life360 didn’t disclose how the risk actor breached its platform, however the firm acknowledged that it had taken steps to guard its programs from additional assault and reported the extortion makes an attempt to legislation enforcement.
Moreover, the corporate has but to disclose when the breach was detected or what number of clients had been impacted by the ensuing data breach.
A Tile spokesperson refused to reply any of those questions, saying Tile is “persevering with to work with legislation enforcement” and has “no different updates right now.”
Whereas Life360 did not present many particulars concerning this breach, 404 Media reported on Wednesday that the hacker used what are believed to be the stolen credentials of a former Tile worker to realize entry to a number of Tile programs.
The risk actor stated that one of many compromised instruments helps discover Tile clients primarily based on their cellphone numbers or non-public hash IDs and “provoke knowledge entry, location, or legislation enforcement requests,” whereas others presumably allowed creating admin customers, pushing alerts to Tile customers, and switch Tile machine possession.
Nonetheless, the attacker scraped Tile buyer names, addresses, e-mail addresses, cellphone numbers, and machine identification numbers utilizing a unique system by sending thousands and thousands of requests with out being detected.
For the time being, it is unsure whether or not the risk actor will launch the scraped knowledge. Nonetheless, the sort of knowledge is often offered on hacking boards and darkish net markets or launched at no cost to be able to increase the risk actor’s fame.
