Another day, another data breach. Hackers have hacked Bluetooth tracking device maker Tile, according to a report from 404 Media. A bad actor was able to gain access to Tile’s internal tools, which are used to process location data requests from law enforcement. The hacker gained access to customer names, addresses, email addresses, and phone numbers.
Tile did not announce or confirm the attack until being contacted by 404 Media, who had learned about the breach from the hacker. Tile parent company Life360 eventually published a statement about the attack:
Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information. We promptly initiated an investigation into the potential incident and detected unauthorized access to a Tile customer support platform (but not our Tile service platform). The potentially impacted data consists of information such as names, addresses, email addresses, phone numbers, and Tile device identification numbers. It does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers, because the Tile customer support platform did not contain these information types.
We believe this incident was limited to the specific Tile customer support data described above and is not more widespread. We take this event and the security of customer information seriously. We have taken and will continue to take steps designed to further protect our systems from bad actors, and we have reported this event and the extortion attempt to law enforcement. We remain committed to keeping families safe online and in the real world.
The hacker was able to break into Tile’s system by using credentials that belonged to a former Tile employee. The bad guy gained access to a tool that could be used to look up Tile customers by phone number. That tool also allowed searching for location history.
Tile told 404 Media that “the hacker would not have been able to access location data from this platform.” However, the company did not answer a specific question from 404 Media about whether the hacker had sufficient authentication to perform a location data request once they had access to the internal tool.
Tile makes Bluetooth tags and other tracking devices, competing in the same space as Apple’s AirTags.
