This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Life360

Summary

In March 2024, Life360's Android login API was misconfigured to return users' real first names and phone numbers in API responses, enabling attackers to scrape 442,519 users' names, phone numbers, and email addresses through thousands of automated requests. Data was leaked in July 2024. No passwords, SSNs, or financial details were compromised. Life360 fixed the endpoint to return placeholders instead of real phone numbers. The breach also affected Tile, a Life360-acquired customer support platform, followed by an extortion attempt.

What Happened

Life360's Android login API returned personal information not visible to users. Attackers sent thousands of automated requests to retrieve and scrape usernames and associated data.

Impact on Individuals

442,519 Life360 users had names, phone numbers, and emails exposed, enabling smishing, login validation attacks exploiting password reuse, and MFA fatigue campaigns.

Organisational Response

Life360 fixed the vulnerable API endpoint and confirmed the flaw was rectified.

Verification Source: View original statement