Header image

Life360 Customer Details Leaked Following API Breach

Attacker abused login API flaw.

A database containing the personal information of 442,519 Life360 customers has been leaked.

According to Bleeping Computer, the database was accessed by abusing a flaw in the login API, with the attacker saying the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user. They confirmed that Life360 has since fixed the API flaw.

The breach behind this data leak reportedly took place in March 2024.

Jason Kent, hacker in residence at Cequence, said the attack is interesting as it required the attackers to look at the response data on the mobile app channel to know what was needed for the transaction to complete.

“This illustrates the need to test APIs for things like sensitive data in the responses,” he said. “Very simple instrumentation on the login API would have shown that sensitive data was leaking in the responses showing they weren’t looking in the right places for the right things.

“In order to pull this database the attacker had to send thousands upon thousands of requests for usernames and scraped the return data.”

Life360 has also recently disclosed that it was the target of an extortion attempt after attackers breached a Tile customer support platform and stole sensitive information, including names, addresses, email addresses, phone numbers, and device identification numbers.

Detected Attempt

In a statement sent to SC UK, Life360 said that in March, it detected an attempt to gain unauthorized access to user information using email addresses compromised in prior third-party security incidents. "Upon detection, we took immediate action to address this issue, preventing further disclosure of user data within a few hours. We have since removed the ability to access user data with email addresses and implemented limits on how frequently this endpoint can be called. Customers affected by this incident have been notified." 

The company also confirmed that the unauthorized data disclosure was limited to first names and mobile phone numbers; it has no evidence of access to or disclosure of location data, credit card or other payment information, government-issued identification numbers, passwords, or other sensitive data. "We remain committed to continuously improving our security protocols to safeguard our users' privacy."

Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

No events found.