It has recently been revealed that in March 2024, a hacker exploited an API flaw in Life360’s login system and leaked personal information including names, phone numbers and email addresses of over 440,000 users.
Life360 Inc. is a San Francisco, California–based American information technology company that provides location-based services, including sharing and notifications, to consumers globally.
The breach impacted data related to an unspecified number of individuals, as none of the sources provided a specific number of compromised accounts or users.
What does this mean for the business community?
To discover more, Digital Journal has spoken with Jason Kent, Hacker in Residence at Cequence.
Kent begins by giving a run-down on the attack process, noting: “This is a fairly interesting attack in that the attacker simply examined the response data from the mobile app’s login process and found sensitive information the app didn’t need to display.”
There are things to consider for technology teams, which Kent explains as: “This illustrates the need to test APIs for things like sensitive data in the responses. Even basic checks on the login API would have revealed this data leak, indicating they weren’t testing for the right things. In order to pull this database, the attacker had to send thousands upon thousands of requests for usernames and scraped the return data.”
In terms of the implications of the data haul, Kent’s assessment is: “As we see more and more data dumps we see more and more use of the usernames. In this case knowing an email address on the system yields name and phone number. As you can see, by exploiting flaws in company A the attacker can use a bit of information on an insecure API flow in Company B and enhance the database making it much more valuable on the black market or for further attacks.”
Returning to the case specifics, King says: “All Life360 customers need to know their name, phone number and email addresses are now compromised and should be extra vigilant to keep the security of these items in mind. Following attacks could include smishing attempts, login validation attempts (checking for password reuse) and possibly Multi-Factor Fatigue Campaigns.”
In terms of general actions that any company can take on board, King proposes: “The best prevention for this sort of thing is to not reuse passwords. Use a secure vault if you have a hard time remembering passwords and keep them all refreshed!”