Over 400,000 Life360 User Phone Numbers Exposed: Unsecured API Threatens Privacy

Life360 Personal Information Leak

A cybercriminal has exposed a database containing the personal information of 442,519 Life360 customers, obtained by exploiting a vulnerability in the login API. The individual, known only by their ’emo’ handle, claimed the unprotected API endpoint allowed them to easily verify user information such as email addresses, names, and phone numbers.

Emo explained that when attempting to log in to a Life360 account on Android, the login endpoint would return the user’s first name and phone number. This information was only available in the API response and not visible to the user. If the user had verified their phone number, a partial number would be returned instead, like +1******4830.

The hacker has since reported that Life360 fixed the API flaw, and additional requests now return a placeholder phone number.

Details of the Breach

HackManac first spotted the breach, which occurred in March 2024. Emo denied being responsible for the incident. Additionally, on Monday, the same hacker leaked over 15 million email addresses associated with Trello accounts, collected using an unsecured API in January.

Though Life360 did not respond to our request for comment, we confirmed that the leaked data belongs to actual Life360 customers by verifying multiple entries. 

Life360 Extortion Attempt

Last Thursday, Life360 disclosed that it was the target of an extortion attempt. Attackers had breached a Tile customer support platform and stolen sensitive information, including names, addresses, email addresses, phone numbers, and device identification numbers.

The cybercriminal likely used the stolen credentials of a former Tile employee to access multiple Tile systems, enabling them to find Tile users, create admin users, push alerts to Tile users, and transfer Tile device ownership. 404 Media reported this information last week.

Utilizing a separate system, the attacker also scraped Tile customer names, home and email addresses, phone numbers, and device IDs, sending millions of requests while avoiding detection.

Extent of Exposed Data

Life360 CEO Chris Hulls stated that the exposed data “does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers, because the Tile customer support platform did not contain these information types.” Hulls added, “We believe this incident was limited to the specific Tile customer support data described above and is not more widespread.”

The company has yet to reveal when the Tile incident was detected and how many customers were impacted by the resulting data breach.

About Life360

Life360 offers real-time location tracking, emergency roadside assistance services, and crash detection to over 66 million members worldwide. In December 2021, the company acquired Bluetooth tracking service provider Tile in a $205 million deal.

When we reached out to Life360 for comment on the data leak and to confirm whether it is the same incident as the Tile breach, a spokesperson was not immediately available.

Stay Informed and Protect Yourself

With cyber threats becoming increasingly sophisticated, it’s crucial to stay informed and take action to protect your personal information. We’re here to help you navigate the complex world of cybersecurity and provide you with the knowledge and tools you need to stay safe online. Contact us to learn more and keep coming back for the latest updates on cyber threats and how to protect yourself.