Tile, best known for its small wearable Bluetooth trackers, has confirmed it suffered a major cyberattack in which an unnamed hacker obtained sensitive customer data, including people’s names, mailing addresses, email addresses, phone numbers and more .
Parent company Life360 confirmed the breach in a statement, adding that the hacker had tried to extort the company for money, but noting that it had closed the hole that allowed the breach in the first place.
Revealed by 404 Mediathe hacker found active credentials that most likely belonged to a former employee, giving him access to the company’s systems, where he could “initiate data access, location or law enforcement requests.”
Data authenticity confirmed
Life360 is known for its work processing location data requests for police, meaning the hacker was able to search for people based on their phone number or some similar identifier – apparently netting the service “millions” of listings.
The publication obtained a small sample of the stolen data, as well as several screenshots, and was able to verify its authenticity. Some people whose email addresses were in the database were contacted and confirmed that the data was valid.
“Yes, that would be me,” one person told 404 Media.
Tile told the press that an “extortionist” had contacted the company claiming to have stolen customer data through a compromised Tile administrator account.
“Our investigation revealed that certain administrative credentials were used by an unauthorized party to access a Tile customer support platform, but not our Tile service platform,” the company told 404 Media. “The Tile customer support platform contains limited customer information, such as names, addresses, email addresses, phone numbers, and Tile device identification numbers. It does not contain more sensitive information, such as credit card numbers, passwords or login credentials, location data, or government-issued identification numbers.”
The vulnerable account has now been disabled, but we don’t know what happened to the stolen data and whether the hacker plans to sell it on the black market or not.