Hundreds of thousands of Life360 customers suffered data leaks on the dark web following a recent data breach that was caused by a different initial hacking incident.
A threat actor shared a database of the hacked information from the customers on an underground forum, earlier this week.
Life360 User Data Leak on Dark Web
The hacker credited the "original breacher" who initially took details from the company's site. The shared database contained personal information like email addresses, phone numbers, and full names of 442,519 users.
"When attempting to login to a life360 account on Android the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user," said the hacker called "emo."
BleepingComputer reported that the initial breach happened last March. However, emo stated that they were not the first ones to hack the site. The publication also confirmed that the information posted by the hacker is from actual Life360 customers.
Life360 Suggests Hackers Used Stolen Credentials
Life360 stated that the hackers likely used the stolen credentials from a former Tile employee. Previously, an extortion attempt was made on the Tile customer support platform which stole sensitive information from employees.
The post shared that Life360 has already fixed the unsecured API endpoint. Additional requests will no longer return with the phone numbers, instead, a placeholder number is returned in the API response.
Life360 is a popular tracking app that allows family members and friends to easily locate each other. The app is available among Android and iOS users wherein they can share their real-time locations and utilize other safety features.