Location-sharing services, like much of the modern internet, are powered by APIs. Because these APIs handle personally identifiable information such as addresses, phone numbers and more, breaches in these apps can lead to serious safety issues for users everywhere.
Life360 is a location-sharing sharing application for iPhone and Android, to help users keep track of their family members, friends, and other devices. However, recently, an unsecured API endpoint within their cloud environment has led to a massive data leak- over 400,000 users’ phone numbers have been compromised.
The Bleeping Computer exposed the threat actor's handle, ‘emo.’
‘Emo’ accessed the database of customer details using a flaw in the login API. They released a statement explaining how they did this.
"When attempting to login to a life360 account on Android the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user."
Technically, the breach started as far back as March of this year, and was first discovered by HackManac, who posted about it on X. However, at that time, ‘emo’ denied involvement with the incident.
According to the threat actor, the vulnerability has since been fixed on Life360. However, the damage caused by the database leak cannot be undone.
And this is not the first time Life360 has had issues with their cybersecurity. In 2021, the service added Bluetooth tracking via the Tile platform. However, last month, Life360 CEO Chris Hulls released a statement saying threat actors had been extorting the service.
"Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information.”
Although neither Tile nor Life360 commented on the cause of the breach, 404 Media reported that it appeared the hacker used stolen credentials from a former Tile employee to access the Tile data. However, the extent of the date they scraped and what they will do with it remains to be seen.
Overall, location sharing services, like most API-powered platforms in the modern digital world, come with a level of risk. This is why it is critical for organizations to use a ‘secure by design’ approach to maintain visibility and monitor usage of all the APIs in their landscape.
To learn more about API security and how you can improve your API security with FireTail, schedule a free demo here.