A hacker obtained Tile customers’ personal information

Tile owner Life360 says a hacker obtained personal information on customers of the Bluetooth tracker brand. The details include names, addresses, email addresses, phone numbers and Tile device ID numbers. Life 360 CEO Chris Hulls said in a statement that the stolen data does not include credit card numbers, passwords, other login credentials, location data of Tile devices or government-issued ID numbers.

“Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt,” Hulls wrote. “We received emails from an unknown actor claiming to possess Tile customer information. We promptly initiated an investigation into the potential incident and detected unauthorized access to a Tile customer support platform (but not our Tile service platform).”

Hulls added that Life360 believes the stolen data was limited to customer names, their physical and email addresses and device IDs. “We have taken and will continue to take steps designed to further protect our systems from bad actors, and we have reported this event and the extortion attempt to law enforcement,” Hulls wrote. “We remain committed to keeping families safe online and in the real world.”

The attack appears to have gone beyond pinching user data, however. According to 404 Media, which first reported on the intrusion, the hacker was able to gain access to some of Tile’s internal tools, including one used to process any location data requests submitted by law enforcement.

The hacker says they used login credentials that apparently belonged to a former Tile employee to access the customer support systems (Tile said in a separate statement to 404 Media that it later deactivated these credentials). The information they obtained is also said to include order and return details along with the payment method used by the customers. They were also seemingly able to access tools that, for instance, allow Tile to transfer ownership of a Bluetooth tracker from one email address to another, create administrator accounts and send push notifications. The hacker told 404 Media that they didn’t use these functions.

This article contains affiliate links; if you click such a link and make a purchase, we may earn a commission.

Go to Source