HQ/EMEAFind out how we can help your business
A hacker exploited a vulnerability in the login API of Life360, resulting in the exposure of its database that contained 442,519 customers’ PII.
The hackers, who go by the name ‘emo,’ claimed that the insecure API endpoint used to acquire the data enabled it to easily validate each compromised user’s email address, name, and phone number owned by the compromised entity.
When it attempted to log in to a Life360 account on Android, the login endpoint returned the user’s first name and phone number, which appeared exclusively in the API response and was not visible to the user.
However, the threat actor noted that Life360 had already fixed the bug, and its subsequent requests now returned a placeholder phone number. On the other hand, a researcher disclosed that the exploit that caused this data leak occurred last March, but ‘emo’ has denied its involvement in the event.
Life360 faced another cybersecurity issue this week.
Earlier this week, Life360 revealed that it was the subject of an extortion campaign after the infiltrators accessed a Tile customer support network and stole sensitive information, including names, addresses, email addresses, phone numbers, and device identification numbers.
The initial investigation believe that the threat actor most likely leveraged a former Tile employee’s stolen credentials to breach several Tile systems, allowing it to identify Tile users, generate admin users, send alerts to Tile users, and transfer Tile device ownership.
The attacker also scraped Tile customer names, home and email addresses, phone numbers, and device IDs using a different system. They also send millions of requests while remaining undetected during the breach.
However, the affected company insisted that sensitive details, like credit card numbers, passwords or log in credentials, location data, or government-issued identification numbers, were not included in the leaked data since they were not stored on the Tile customer service platform.
The company also believes this problem is limited to the earlier mentioned Tile customer support data and is less widespread. As of now, the corporation has yet to specify when it identified the Tile hack or how many consumers were affected by the subsequent data leak.
