The details of nearly half a million Life360 customers have been leaked onto the dark web following a data breach.
Earlier this week, a threat actor going by the alias “emo” posted a new thread on an underground hacking forum, sharing a database of email addresses, phone numbers, and full names of 442,519 people. In the post, the hacker claimed that they were not the ones who first breached the site.
“All credit goes to the original perpetrator of this leak, do you know who you are?” they said.
Problems solved
BleepingComputer reports that the breach occurred in March 2024, when someone exploited a flaw in the site’s login API. It also confirmed the authenticity of at least some of the data in the archive.
“When attempting to log into a life360 account on Android, the login endpoint would return the user’s first name and phone number, this only existed in the API response and was not visible to the user,” emo said. “If a user had verified their phone number, it would instead be returned as a partial number like +1******4830.”
The post also states that Life360 has fixed the breach in the meantime, with the endpoint no longer returning the phone numbers. “A temporary number is now being returned in the API response,” they concluded.
Life360 is a family network app designed to provide location and safety services. The app, available on both Android and iOS, allows users to share their real-time locations on a private map, set up geofences, and use various safety features. The tool also keeps a history of locations and movements.
The company has had a rough few weeks. Recently, the company reported an extortion attempt. Hackers broke into a Tile customer support platform and stole users’ names, mailing addresses, email addresses, phone numbers, and device IDs.