A menace actor has leaked a database containing the non-public data of 442,519 Life360 prospects collected by abusing a flaw within the login API.
Identified solely by their ’emo’ deal with, they stated the unsecured API endpoint used to steal the info offered a straightforward method to confirm every impacted person’s electronic mail handle, identify, and telephone quantity.
“When making an attempt to login to a life360 account on Android the login endpoint would return the primary identify and telephone variety of the person, this existed solely within the API response and was not seen to the person,” emo stated.
“If a person had verified their telephone quantity it might as an alternative be returned as a partial quantity like +1******4830.”
Based on the menace actor, Life360 has since fastened the API flaw, and extra requests now return a placeholder telephone quantity.
As first noticed by HackManac, the breach behind this knowledge leak occurred in March 2024, with emo saying they weren’t behind the incident.
On Monday, the identical menace actor additionally leaked over 15 million electronic mail addresses related to Trello accounts that had been collected utilizing an unsecured API in January.
Whereas the corporate did not reply to a request for remark relating to the menace actor’s claims, BleepingComputer confirmed the data belongs to precise Life360 prospects by verifying a number of entries within the leaked knowledge.
On Thursday, Life360 additionally disclosed it was the goal of an extortion try after attackers breached a Tile buyer help platform and stole delicate data, together with names, addresses, electronic mail addresses, telephone numbers, and system identification numbers.
The menace actor seemingly used the stolen credentials of a former Tile worker to breach a number of Tile methods, which allowed discovering Tile customers, creating admin customers, pushing alerts to Tile customers, and transferring Tile system possession, as 404 Media first reported final week.
Utilizing a distinct system, the attacker additionally scraped Tile buyer names, dwelling and electronic mail addresses, telephone numbers, and system IDs, sending tens of millions of requests whereas evading detection.
The uncovered knowledge “doesn’t embody extra delicate data, equivalent to bank card numbers, passwords or log-in credentials, location knowledge, or government-issued identification numbers, as a result of the Tile buyer help platform didn’t include these data varieties,” Life360 CEO Chris Hulls added. “We imagine this incident was restricted to the particular Tile buyer help knowledge described above and isn’t extra widespread.”
The corporate has but to disclose when the Tile incident was detected and what number of prospects had been impacted by the ensuing data breach.
Life360 supplies real-time location monitoring, emergency roadside help providers, and crash detection to over 66 million members worldwide. In December 2021, the corporate acquired Bluetooth monitoring service supplier Tile in a $205 million deal.
A Life360 spokesperson was not instantly accessible when BleepingComputer reached out right this moment to touch upon this week’s knowledge leak and ensure whether or not it is the identical incident because the Tile breach.