Hands typing on keyboard showing database leak

Life360 Database Leak from Unsecured Login API Impacts over 440,000 Customers

Life360 has suffered a database leak that impacted the personal information of nearly half a million customers.

Life360 is a family-tracking app for both Android and iOS, with more than 66 million users worldwide. It allows users to share real-time locations, track movement, perform geofencing, request emergency roadside assistance, and use other safety features.

Life360 also acquired Bluetooth tracking app Tile in December 2021 for $205 million. It allows users to find easily misplaceable items, such as keys, using an attached Bluetooth-enabled device called Tile.

The Life360 data breach occurred in March 2024 and surfaced on July 17, 2024, when a threat actor named ‘emo’ listed the stolen database for sale on the dark web hacking forum Breach Forums. In January, the threat actor was also credited with leaking 15 million email addresses from Trello scraped from an unsecured API.

Life360 database leak exposed the PII of over 440K customers

The database leak exposed personal information, including names and mobile phone numbers of 442,519 people.

With their contact information leaked, victims are at risk of potential phishing and smishing attempts and should thus remain vigilant for suspicious activity.

“All Life360 customers need to know their name, phone number and email addresses are now compromised and should be extra vigilant to keep the security of these items in mind,” warned Jason Kent, Hacker in Residence at Cequence. “Following attacks could include smishing attempts, login validation attempts (checking for password reuse) and possibly Multi-Factor Fatigue Campaigns.”

However, the database leak did not expose Life360 customers’ financial details, account passwords, or Social Security Numbers, thus minimizing the risk of identity theft, account takeover, and fraud.

The threat actor denied being responsible for the Life360 data breach but explained that the database leak resulted from abusing the Android App’s login endpoint.

Although not visible to the user, the login API returned personal information, which allowed the threat actor to verify Life360 users’ names, email addresses, and phone numbers.

“When attempting to login to a Life360 account on Android the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user,” the threat actor explained.

Life360 has since fixed the vulnerable endpoint by modifying the API response to return placeholders instead of users’ real phone numbers.

“If a user had verified their phone number it would instead be returned as a partial number like +1******4830,” the threat actor said. “This endpoint no longer returns phone numbers and now a placeholder is returned in the API response.”

“This is a fairly interesting attack in that the attacker simply examined the response data from the mobile app’s login process and found sensitive information the app didn’t need to display,” Kent said. “This illustrates the need to test APIs for things like sensitive data in the responses. Even basic checks on the login API would have revealed this data leak, indicating they weren’t testing for the right things. In order to pull this database the attacker had to send thousands upon thousands of requests for usernames and scraped the return data.”

“Almost every mobile app uses an API on the backend, that’s because it can really cut down on development time and make it easy to make Android and iOS apps with the same functionality,” said Katie Paxton-Fear, API Researcher, Traceable AI. “When developers do this sometimes they will start with a very permissive API first and then as development time continues they’ll put more limits on it. This is because they’re trying to make the application as flexible as they can, so they don’t know how exactly an endpoint will work, so return extra information.”

Life360 has experienced two data breaches within 12 months. In June 2024, the company disclosed an extortion attempt after the Tile customer support platform suffered a database leak exposing customers’ names, home addresses, email addresses, phone numbers, and device IDs.

However, the data breach did not expose credit card numbers, account login credentials, location data, or government-issued ID numbers.

Highlighting the significant risk that abandoned credentials pose to an organization, the threat actor behind the Tile data breach reportedly exploited a former employee’s login details to gain initial access.

After gaining a foothold, they accessed the platform’s internal tools, which could enable them to create admin users, transfer Tile device ownership, and message users.

However, the database leak was limited to the Tile customer support platform and not the main service platform, and the company believes the incident was not widespread.