Thousands of Life360 user data scraped via unsecured API and leaked

Life360, a family networking app providing location and safety services, has been hit by a significant data breach that exposed the personal information of 442,519 customers.

The breach was caused by a vulnerability in the login API, which allowed unauthorized access to users' email addresses, names, and phone numbers.

The breach occurred due to an unsecured API endpoint in the Life360 login system. When logging in via Android, the API response included the user's first name and phone number, which was not visible to the user but accessible through the endpoint. If the phone number was verified, it returned a partial number, e.g., +1******4830.

A threat actor, identified by the handle 'emo,' leaked the breach but claimed not to be the original perpetrator. Emo confirmed that Life360 has since addressed the flaw, and the API now returns placeholder numbers instead.

Exposed Data:

• Email addresses
• Names
• Phone numbers

Security researchers have verified the authenticity of the leaked data by cross-referencing multiple entries.

In a separate incident, Life360 disclosed that its subsidiary Tile was also targeted in a data breach.