Security News > 2024 > July > Over 400,000 Life360 user phone numbers leaked via unsecured API
A threat actor has leaked a database containing the personal information of 442,519 Life360 customers collected by abusing a flaw in the login API. Known only by their 'emo' handle, they said the unsecured API endpoint used to steal the data provided an easy way to verify each impacted user's email address, name, and phone number.
According to the threat actor, Life360 has since fixed the API flaw, and additional requests now return a placeholder phone number.
On Monday, the same threat actor also leaked over 15 million email addresses associated with Trello accounts that were collected using an unsecured API in January.
While the company didn't reply to a request for comment regarding the threat actor's claims, BleepingComputer confirmed the information belongs to actual Life360 customers by verifying multiple entries in the leaked data.
On Thursday, Life360 also disclosed it was the target of an extortion attempt after attackers breached a Tile customer support platform and stole sensitive information, including names, addresses, email addresses, phone numbers, and device identification numbers.
The exposed data "Does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers, because the Tile customer support platform did not contain these information types," Life360 CEO Chris Hulls added.