2024-6-14 01:28:54 Author: securityboulevard.com(查看原文) 阅读量:11 收藏
Location tracking service leaks PII, because—incompetence?
An anonymous hacker breached the internal support systems of Tile (ASX:360). They grabbed “millions” of customer data records by wielding two incredibly simple techniques.
Companies must do better! It’s yet another story of failed anti-scraping defenses (see also: Dell, 23andMe). And of stolen employee credentials—with no 2FA/MFA to protect critical internal systems (see also: LastPass, Ticketmaster).
Parent company Life360’s CEO Chris Hulls (pictured) is putting a brave face on it. In today’s SB Blogwatch, we wish these firms would get the message.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Slow motion topple.
Seems Almost too Easy
What’s the craic? Joseph Cox reports: Hacker Accesses Internal ‘Tile’ Tool That Provides Location Data to Cops
“Access to everything”
A hacker has gained access to internal tools used by the location tracking company Tile, including one that processes location data requests for law enforcement, and stolen a large amount of customer data. [It] shows how tools intended for internal use by company workers can be accessed … by hackers to collect sensitive data en masse.
…
“Basically I had access to everything.” … The hacker says they also demanded payment from Tile but did not receive a response. … They obtained login credentials … that they believe belonged to a former Tile employee. One tool specifically says it can be used to “initiate data access, location, or law enforcement requests.” … From here, the hacker said, … “I was able to enumerate through customer IDs. Sent millions of requests to scrape the data.”
Who owns Tile? Sergiu Gatlan uproots the family tree: Life360 says hacker tried to extort them
“Millions of requests without being detected”
Life360 provides real-time location tracking, crash detection, and emergency roadside assistance services to more than 66 million members worldwide. In December 2021, it acquired Bluetooth tracking service provider Tile in a $205 million deal.
…
A Tile spokesperson refused … to reveal when the breach was detected or how many customers were impacted. [And] Life360 did not disclose how the threat actor breached its platform. … However, the attacker [claims to have] scraped Tile customer names, addresses, email addresses [and] phone numbers … by sending “millions” of requests without being detected.
Tile customer? Sucks to be you. Here’s Life360 CEO Chris Hulls (and his tame PR team, no doubt): Unauthorized Access Incident
“We take … the security of customer information seriously”
Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We … detected unauthorized access to a Tile customer support platform.
…
The potentially impacted data … does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers. … We believe this incident was limited to the specific Tile customer support data described above and is not more widespread. We take this event and the security of customer information seriously.
Customers such as Doxin, for instance:
The only reason to go with Tile instead of AirTags is that Apple refuses to support AirTags on Android. I’ve got a Tile on my dog, because I’ll be ****ed to go buy a whole-ass new phone … just in case my dog runs off. Other than that, AirTags seem clearly superior along basically all metrics.
O RLY? Gerash explains:
Even though Air Tags came years after Tile they were instantly a better alternative. AirTag software is bundled with iOS: Both the background scanner and the FindMy app. So it’s a bigger network and a more seamless integration. Basically Apple copied the idea a few years later and killed Tile’s business overnight.
Speaking of Apple, Apple_Robert opines thuswise:
It sounds like several people at Tile failed to do their job. No excuse for this kind of elementary data breach to have occurred not to mention having to be told about the data breach. Whoever is in charge of security needs to be fired.
Life360 says it no longer sells your location data. But that legacy reputation hangs around like a bad smell. Pascal Monett is not surprised:
Why am I not surprised that a company that hoovers up private info like crazy to sell it on can’t be ***ed to secure its platform properly? … So you only found out you were hacked because the hacker … contacted you?
…
Might want to think about investing money (gasp) into some actual network protection. I mean, if you actually intend to preserve yourself from this kind of thing in the future.
Money and expertise. KiltedKnight thinks it’s “Not surprising:”
If Tile had followed some simple guidelines regarding least privilege, account and credentials management, and onboarding/offboarding processes, this might never have happened.
Meanwhile, jz0309 cuts to the chase:
Not disabling access of the account of a former employee … means that that company doesn’t understand security—plain and simple.
And Finally:
Hat tip: Tom Scott
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Life360, Inc.
Recent Articles By Author
如有侵权请联系:admin#unsafe.sh