Over 400,000 Life360 user phone numbers leaked via unsecured API
A threat actor has leaked a database containing the personal information of 442,519 Life360 customers collected by abusing a flaw in the login API.
Known only by their 'emo' handle, they said the unsecured API endpoint used to steal the data provided an easy way to verify each impacted user's email address, name, and phone number.
"When attempting to login to a life360 account on Android the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user," emo said.
"If a user had verified their phone number it would instead be returned as a partial number like +1******4830."
According to the threat actor, Life360 has since fixed the API flaw, and additional requests now return a placeholder phone number.
As first spotted by HackManac, the breach behind this data leak occurred in March 2024, with emo saying they weren't behind the incident.
On Monday, the same threat actor also leaked over 15 million email addresses associated with Trello accounts that were collected using an unsecured API in January.
While the company didn't reply to a request for comment regarding the threat actor's claims, BleepingComputer confirmed the information belongs to actual Life360 customers by verifying multiple entries in the leaked data.
On Thursday, Life360 also disclosed it was the target of an extortion attempt after attackers breached a Tile customer support platform and stole sensitive information, including names, addresses, email addresses, phone numbers, and device identification numbers.
The threat actor likely used the stolen credentials of a former Tile employee to breach multiple Tile systems, which allowed finding Tile users, creating admin users, pushing alerts to Tile users, and transferring Tile device ownership, as 404 Media first reported last week.
Using a different system, the attacker also scraped Tile customer names, home and email addresses, phone numbers, and device IDs, sending millions of requests while evading detection.
The exposed data "does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers, because the Tile customer support platform did not contain these information types," Life360 CEO Chris Hulls added. "We believe this incident was limited to the specific Tile customer support data described above and is not more widespread."
The company has yet to reveal when the Tile incident was detected and how many customers were impacted by the resulting data breach.
Life360 provides real-time location tracking, emergency roadside assistance services, and crash detection to over 66 million members worldwide. In December 2021, the company acquired Bluetooth tracking service provider Tile in a $205 million deal.
A Life360 spokesperson was not immediately available when BleepingComputer reached out today to comment on this week's data leak and confirm whether it's the same incident as the Tile breach.
source: BleepingComputer
Free security scan for your website