Tracker company Tile hacked — data provider says it faced "extortion" attempt following breach

Data leak
(Image credit: Shutterstock)

Tile, best known for small portable bluetooth trackers, has confirmed suffering a major cyberattack that saw an unnamed hacker obtain sensitive customer data including people’s names, postal addresses, email addresses, phone numbers, and more.

Parent company Life360 confirmed the breach in a statement, adding the hacker had tried to extort it for money, but noting it had plugged the hole that made the breach possible in the first place.

Revealed by 404 Media, the hacker found active login credentials that most likely belonged to a former employee, granting them access to the company’s systems, where they were able to “initiate data access, location, or law enforcement requests.” 

Data authenticity confirmed

Life360 is known for its work processesing location data requests for law enforcement, meaning the hacker might have been able to search for people either by their phone number, or a similar identifier - apparently scraping the service for “millions” of entries. 

The publication obtained a small sample of the stolen data, as well as multiple screenshots, and was able to verify its authenticity. It reached out to some of the people whose email addresses were listed in the database, and they confirmed the data was valid. 

“Yep, that would be me,” one person told 404 Media. 

Tile told the press that an “extortionist” contacted the company, claiming to have stolen customer data via a compromised Tile admin account. 

“Our investigation detected that certain admin credentials were used by an unauthorized party to access a Tile customer support platform, but not our Tile service platform,” the company told 404 Media. “The Tile customer support platform contains limited customer information, such as names, addresses, email addresses, phone numbers, and Tile device identification numbers. It does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers.”

The vulnerable account has since been disabled, but we don’t know what happened to the stolen data and whether the hacker plans on selling it on the black market or not.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.