Hackers Access Tile's Internal Tracking Tools, Customer Data

[MacRumors]

Tile, known for its Bluetooth tracking devices, was recently hacked, according to a report from 404 Media. A hacker was able to gain access to Tile's internal tools that are used for processing location data requests for law enforcement officers, and that gave the hacker customer names, addresses, email addresses, and phone numbers.

Data breaches are not uncommon these days, but Tile was not forthcoming about the attack and did not mention it until being contacted by 404 Media. The site learned about the breach from the hacker. Tile parent company Life360 published a statement about the attack on its website after being prompted to do so by 404 Media.

Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt. We received emails from an unknown actor claiming to possess Tile customer information. We promptly initiated an investigation into the potential incident and detected unauthorized access to a Tile customer support platform (but not our Tile service platform). The potentially impacted data consists of information such as names, addresses, email addresses, phone numbers, and Tile device identification numbers. It does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers, because the Tile customer support platform did not contain these information types.

We believe this incident was limited to the specific Tile customer support data described above and is not more widespread. We take this event and the security of customer information seriously. We have taken and will continue to take steps designed to further protect our systems from bad actors, and we have reported this event and the extortion attempt to law enforcement. We remain committed to keeping families safe online and in the real world.

While no location information was obtained, the incident is alarming because of the nature of the tool that the hacker was able to access. The hacker was able to get into Tile's system using credentials from a former Tile employee, and was able to get into a tool that could be used to look up Tile customers by phone number. Part of that tool allowed for searching location history.

Tile told 404 Media that the hacker would not have been able to access location data from the platform that was attacked, but did not confirm whether the hacker had the appropriate authentication to perform a location request once the internal tool was accessed.

Tile is one of Apple's main competitors in the item tracking space, with Tile's trackers available as an alternative to Apple's AirTags.

Article Link: Hackers Access Tile's Internal Tracking Tools, Customer Data

 

[usersince86]

Yikes.

Cue the "that would never happen with AirTags" vs. "that could happen with AirTags" debate...

 

[drumcat]

Tile lost my business with their insistence on sealed batteries. Adios, Tile. Too late now.`

 

[bassjunky]

I hate people.

 

[phenste]

horrendously sorry for anyone who was affected by this…

…it’s hard not to laugh at Tile themselves though.

 

[Apple_Robert]

Using credentials of a former employees is not hacking. Tile was the victim of a data breach.

 

[hieranonymous]

Meanwhile Tile has been complaining Apple doesn’t give it higher-level system access.

 

[dtich]

Yikes.

Cue the "that would never happen with AirTags" vs. "that could happen with AirTags" debate...

But... that would never happen with AirTags. Not really a debate.

 

[DocMultimedia]

Yada yada was hacked today and all your info is out there.

Same thing every day in the modern world.

 

[thenahon]

AirTags for life 🙌🏼

 

[jz0309]

Using credentials of a former employees is not hacking. Tile was the victim of a data breach.

Well, not disabling access of the account of a former employee to me means that that company doesn’t understand security, plain and simple

 

[Apple_Robert]

Well, not disabling access of the account of a former employee to me means that that company doesn’t understand security, plain and simple

I agree. It sounds like several people at Tile failed to do their job. No excuse for this kind of elementary data breach to have occurred not to mention having to be told about the data breach. Whomever is in charge of security need to be fired.

 

[Kierkegaarden]

So “no location data was obtained” — but at the same time the hackers accessed customer names, addresses, emails, and phone numbers? Is this supposed to calm customers? I would never use this product.

 

[CookItOff]

A hacker was able to gain access to Tile's internal tools that are used for processing location data requests for law enforcement officers

Worrisome...
Saying that, does Apple always know the location of my devices or are they encrypted to my Find My with no backdoor access?

"Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt."

Also Tile's first sentence in their response tells you a lot about the company. "What about" much?

 

[Timo_Existencia]

People need to stop glamorizing hackers as though they are providing some public service. They are breaking into peoples most private spaces, just as if they had picked a lock to a home. But in the digital era, hackers are given some level of esteem as though they are better than common thieves. They aren't.

 

[now i see it]

Uh oh

 

[ninetyCent]

They're still around??

 

[Robert.Walter]

Using credentials of a former employees is not hacking. Tile was the victim of a data breach.

Tile was also a victim of their own sloppy HR separation practices.

Those credentials should have been invalidated before the exit interview started if not sooner. (There’s possibly a messy backstory here too.)

 

[Robert.Walter]

People need to stop glamorizing hackers as though they are providing some public service. They are breaking into peoples most private spaces, just as if they had picked a lock to a home. But in the digital era, hackers are given some level of esteem as though they are better than common thieves. They aren't.

I don’t think that applies uniformly.

Totally dependent on what happens after gaining entry.

Black and white hats are a thing.

 

[Robert.Walter]

Worrisome...
Saying that, does Apple always know the location of my devices or are they encrypted to my Find My with no backdoor access?

"Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt."

Also Tile's first sentence in their response tells you a lot about the company. "What about" much?

Leaning heavily into their victimhood as a distraction.

 

[Apple_Robert]

Worrisome...
Saying that, does Apple always know the location of my devices or are they encrypted to my Find My with no backdoor access?

"Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt."

Also Tile's first sentence in their response tells you a lot about the company. "What about" much?

Apple doesn’t know but, your cell provider for your devices knows pretty close to actual location.

 

[Robert.Walter]

So “no location data was obtained” — but at the same time the hackers accessed customer names, addresses, emails, and phone numbers? Is this supposed to calm customers? I would never use this product.

Was going to say same.

I can get a cc refund and change my cc card number. All the rest* is static and neigh impossible to easily change.

* I moved all my accounts to site unique (1/site) iCloud hide my email addresses so that’s an easy change too.

PSA: if you haven’t yet set up credit freezes with experian, equifax, trans union, do so, because unannounced breaches are a thing (not just for tile - shame on them - also, if you tile, no better reason to upgrade to AirTags).

 

[Unregistered 4U]

Worrisome...
Saying that, does Apple always know the location of my devices or are they encrypted to my Find My with no backdoor access?

If a user doesn’t have access to the AppleID the lost device is using, no one can find it. The data is out there and in Apple’s cloud (as long as the battery isn’t dead), but the AppleID is the key to have that info routed to the user when they log in.

 

[leicaman]

Worrisome...
Saying that, does Apple always know the location of my devices or are they encrypted to my Find My with no backdoor access?

"Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt."

Also Tile's first sentence in their response tells you a lot about the company. "What about" much?

No. The way a lost AirTag identifies itself, there's no way to know who the owner is on the part of the Apple device that detected it and relayed its public ID to Apple.

 

[Crowbot]

Using credentials of a former employees is not hacking. Tile was the victim of a data breach.

My former employer, a large hospital, closed off my access to email, etc. about 30 minutes after I sent in my resignation (I was retiring). I had archived it the day before but they obviously weren't taking chances. I can't fault them.