API economy
API security
cloud security
Cyber landscape
July 19, 2024

Life 360 Phone Number Leak

Location-sharing services, like much of the modern internet, are powered by APIs. Because these APIs handle personally identifiable information such as addresses, phone numbers and more, breaches in these apps can lead to serious safety issues for users everywhere.

Life 360 Phone Number Leak

Life360 is a location-sharing sharing application for iPhone and Android, to help users keep track of their family members, friends, and other devices. However, recently, an unsecured API endpoint within their cloud environment has led to a massive data leak- over 400,000 users’ phone numbers have been compromised.

The Bleeping Computer exposed the threat actor's handle, ‘emo.’ 

‘Emo’ accessed the database of customer details using a flaw in the login API. They released a statement explaining how they did this.

"When attempting to login to a life360 account on Android the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user."

Technically, the breach started as far back as March of this year, and was first discovered by HackManac, who posted about it on X. However, at that time, ‘emo’ denied involvement with the incident.

According to the threat actor, the vulnerability has since been fixed on Life360. However, the damage caused by the database leak cannot be undone. 

And this is not the first time Life360 has had issues with their cybersecurity. In 2021, the service added Bluetooth tracking via the Tile platform. However, last month, Life360 CEO Chris Hulls released a statement saying threat actors had been extorting the service.

"Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information.”

Although neither Tile nor Life360 commented on the cause of the breach, 404 Media reported that it appeared the hacker used stolen credentials from a former Tile employee to access the Tile data. However, the extent of the date they scraped and what they will do with it remains to be seen.

Overall, location sharing services, like most API-powered platforms in the modern digital world, come with a level of risk. This is why it is critical for organizations to use a ‘secure by design’ approach to maintain visibility and monitor usage of all the APIs in their landscape. 

To learn more about API security and how you can improve your API security with FireTail, schedule a free demo here.

Lina Romero

Related posts

The Challenges of API Logging
August 28, 2024

The Challenges of API Logging

APIs can run almost anywhere, including any type of compute platforms and network infrastructure services on AWS. In this blog, we’ll go over the different types of compute platforms, network infrastructure services, and how they relate to your APIs and API security.

Read more
A View from The C-Suite: The New CIS API Security Guide
August 28, 2024

A View from The C-Suite: The New CIS API Security Guide

FireTail partnered with the Center for Internet Security (CIS) to create an API security community. The end result is the first draft of The CIS API Security Guide, reviewed by cybersecurity experts from around the world before its release. Read more here.

Read more
Selenium Grid Target of Malware Attack
August 2, 2024

Selenium Grid Target of Malware Attack

There is also a massive lack of awareness around APIs and API endpoints. Many developers buy 3rd party software packages without realizing that they contain a variety of APIs with their own unique vulnerabilities.

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!