It’s also negligence. His credentials should have been deactivated the moment he was gone especially as someone with such sensitive access! This stuff needs regulation!!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Access Tile's Internal Tracking Tools, Customer Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
I think a lot of “hacking” works like this. It’s not all state sponsored exploits…
Clearly not that seriously if the only reason we are hearing about it is because they were being contacted by 404 Media. The only thing they take seriously is protecting their stock price because they (Life360) just went public on the stock market lol.
I stopped reading past this: "Similar to many other companies, Life360 recently became the victim of a criminal extortion attempt..."
They knew but should have informed the public.
They knew but should have informed the public.
Most retirement notifications are sent months in advance. Was your retirement notification sent with immediate effect?
Everyone here is missing that beyond revoking employee credentials, employee access to this kind of data should be restricted entirely when on external networks. Why was that not enforced? Why would an employee be able to login from anywhere?
Although I suppose their VPN credentials were probably not revoked either, if they have that, which they probably shouldn’t have if they aren’t remote. And I don’t think someone with that kind of critical access should be allowed to work remotely. They should be under some sort of surveillance in a secure facility.
We’re talking about extreme customer privacy issues here. This isn’t just any business! Especially if this is a special tool for law enforcement. There should just be a few people under a lot of scrutiny with access.
Hopefully this is another death knell for Tile. This company has always rubbed me the wrong way.
Although I suppose their VPN credentials were probably not revoked either, if they have that, which they probably shouldn’t have if they aren’t remote. And I don’t think someone with that kind of critical access should be allowed to work remotely. They should be under some sort of surveillance in a secure facility.
We’re talking about extreme customer privacy issues here. This isn’t just any business! Especially if this is a special tool for law enforcement. There should just be a few people under a lot of scrutiny with access.
Hopefully this is another death knell for Tile. This company has always rubbed me the wrong way.
That’s some good spin, I guess that’s why those PR folks make the big bucks!
“Sure, it happened to us, but it happens to other companies too! And the hackers just have your name, email, phone number and address. And your tile ID. It’s not like they have your credit card or social security number” 🤡
“Sure, it happened to us, but it happens to other companies too! And the hackers just have your name, email, phone number and address. And your tile ID. It’s not like they have your credit card or social security number” 🤡
Shady AF and they make it seem like it isn’t a big deal either when PERSONAL DATA still got accessed. They are like „it was only your name, not a big deal“ wtf.
Are they selling their products in the EU? This is a clear breach of GDPR. You are supposed to report such incidents asap to the regional data privacy office and also inform the user about it
Are they selling their products in the EU? This is a clear breach of GDPR. You are supposed to report such incidents asap to the regional data privacy office and also inform the user about it
class action suit against tile in 3...2...1.....
FTC action against tile in 3...2....1...
FTC action against tile in 3...2....1...
I’m reading this article as I open a letter from Kaiser about their data breach … 
This is the scariest part of the story
We’re, society that is, loosing touch with facts and precise definitions. Everything can now be twisted and moulded to fit any point of view. It’s depressing.
They aren’t victims. They are incompetent and should have an off boarding process for staff that actually works.
Wow! I ditched my Tile for AirTag but I had one, they have my details and I NEVER knew about this! They must be fined heavily, you cannot be hacked and hide it from your customers, that is surely illegal in at least one country they sell in?
What a scummy incompetence company they are.
What a scummy incompetence company they are.
Last edited:
Many of them are out to extort money and nothing more. That is exactly what a thief does, steal things and then sells them for cash. They are exactly the same as you say and definitely deserve no separation or credit what so ever. Scum.
I need to try one of those tools that claims to scan the web and delete your data from sites.
Last edited:
Pretty sure under GDPR there is a legal requirement to disclose data breaches within 72 hours and I find it hard to believe Tile would have no European customers.
Now I understand why we have to disable the accounts immediately when someone leaves. I had always like: "It can wait, don't understand why you're in such a hurry" attitude.
Tile may be embarrased that they hadn't de-activated the former employee's account on them leaving and are covering over it by calling it "hacking".
It's even worse than that, why are employees able to access this information AT ALL?
Google employees snooping around Nintendo's private files on YouTube and Google Drives led to leaks about their games. Not former employees, currently employees. Not working off-site, but on-site.
Rogue employees exist. If you build a honeypot, it will attract flies. People are going to snoop, and it's not just hackers. If you build a back-door, people are going to abuse it.
'Police want that information' is not a reason to build a back-door or a workaround. If someone wasn't using Tile, Police would have to do their job without that information, so they should be able to do that anyway.
This is why Microsoft's Recall and Adobe's new Cloud TOS are absolute deal breakers. Giving employees access to user files is always a terrible idea.
I’m in the UK and they have sold devices here officially for several years I think, maybe since their first or second device even? A quick check also shows Amazons German site selling their devices so I think it’s safe to say they sell in Europe and have breached our GDPR rules. I do hope a large fine comes there way.
EDIT: in the UK companies are required to use this site to report breaches. http://ico.org.uk/for-organisations...data-breach/report-a-data-breach-online-form/ so it’s not difficult.
And yes by law breaches must be reported in 72 hours:
Step two: Start the timer
By law, you've got to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
Last edited:
If this happened with AirTags, Apple would absolutely have come forward with this ASAP to get people to change iCloud credentials ASAP, as this would be massive data breach. (AirTags and server data is extremely encrypted and only way to really hack the data is to go to the server farms that stores this. Again, Apple is privacy focused)But... that would never happen with AirTags.