A cybercriminal gained unauthorized access to an internal platform of tracking device manufacturer Tile, an attack that resulted in the theft of a large amount of customer data, such as their names or their telephone numbers.
Tile is an American technology company specialized in devices with Bluetooth connectivity, whose products include Sticker, an adhesive button that works like an Apple Air Tag.
A malicious actor reportedly recently gained access to internal tools used by Tile, including one that processes location data requests for law enforcement and authorities.
This has been advanced by 404 Media based on a series of Tile data samples and screenshots to which it has had access, confirming that the stolen data itself does not include the location of the Tile devices.
To obtain this data, the cybercriminal obtained the login credentials for a system from this hardware manufacturer that could belong to one of its former employees, as confirmed to this same medium.
This has been shared by 404 Media, which has indicated that this cybercriminal stole a large amount of customer data, such as their names, physical addresses, email addresses, details about different payment methods or phone numbers.
This medium has verified the data provided by the hacker, randomly selecting a series of email addresses, with which he would have contacted to verify that they are existing directories. Some of those affected confirmed having those addresses registered in Tile.
From Life360, which acquired Tile at the end of 2021, it has acknowledged in a statement that it has been “the victim of an attempted criminal extortion” and that it has received communications from an unknown actor “who claimed to possess Tile customer information.”
The firm has also commented that “immediately” after learning of the facts, it began an investigation into the possible security incident and detected “unauthorized access to a Tile customer service platform”, but not to its service platform.
With this, he has insisted that the potentially affected data consists of information such as names, email addresses and telephone numbers. However, he has denied that he is included in this theft “most confidential information“, such as login passwords, location or credit card number, because the compromised service did not contain this type of information.
Lastly, Life360 has indicated that it believes this incident “was limited” specifically to this platform and that “is not more widespread“. With this, it has clarified that it will continue to take “measures designed to further protect” its systems.