Breaking News - Comment on Life360 data leak - Jason Kent, Cequence
July 2024 by Jason Kent, Hacker in Residence, Cequence Security
The comment in response to the news that over 400,000 Life360 user phone numbers leaked via unsecured API from Jason Kent, Hacker in Residence at Cequence, the API protection solutions provider.
“This is a fairly interesting attack in that it took the attackers looking at the response data on the mobile app channel showed sensitive data beyond what was needed for the transaction to complete. This illustrates the need to test APIs for things like sensitive data in the responses.
Very simple instrumentation on the login API would have shown that sensitive data was leaking in the responses showing they weren’t looking in the right places for the right things. In order to pull this database the attacker had to send thousands upon thousands of requests for usernames and scraped the return data.
As we see more and more data dumps we see more and more use of the usernames. In this case knowing an email address on the system yields name and phone number. As you can see, by exploiting flaws in company A the attacker can use a bit of information on an insecure API flow in Company B and enhance the database making it much more valuable on the black market or for further attacks.
All life360 customers need to know their name, phone number and email address is now compromised and should be extra vigilant to keep the security of these items in mind. Followon attacks could include smishing attempts, login validation attemps (checking for password reuse) and possibly Multi-Factor Fatigue Campaigns.
The best prevention for this sort of thing is to not reuse passwords. Use a secure vault if you have a hard time remembering passwords and keep them all refreshed!”