A threat actor known as ’emo’ leaked a database containing the personal information of 442,519 Life360 customers. The data was obtained by exploiting an unsecured API endpoint that allowed easy access to users’ names, email addresses, and phone numbers. The flaw existed in the API response when attempting to log into a Life360 account on Android, revealing sensitive information without the user’s knowledge. Life360 has since fixed the vulnerability, replacing the exposed phone numbers with placeholders.
The breach was first identified by HackManac, with the initial data leak occurring in March 2024. Emo, the threat actor, clarified that they were not responsible for the original breach. In addition to the Life360 data, emo also leaked over 15 million email addresses associated with Trello accounts, which were collected using a separate unsecured API in January. These incidents highlight ongoing security challenges for companies reliant on API-based systems.
Life360 disclosed another security incident where attackers breached a Tile customer support platform, stealing sensitive information including names, addresses, email addresses, phone numbers, and device IDs. The attackers likely used credentials from a former Tile employee to gain access to multiple systems, allowing them to manipulate Tile users’ data and transfer device ownership. The company confirmed that the exposed data did not include more sensitive information such as credit card numbers or government-issued IDs.
Life360, which acquired Tile in December 2021, has yet to provide full details on the extent of the Tile breach or how many customers were affected. The company emphasized that the incident was limited to specific Tile customer support data. As Life360 provides services to over 66 million members globally, these security breaches have raised serious concerns about the protection of user data and the effectiveness of the company’s security measures.
Reference: