Hacker Infiltrates ‘Tile’ Tool, Reveals Police Use of Location Data

Tile, a location tracking company known for its small hardware devices that users attach to items like keys to monitor them remotely, recently experienced a significant data breach. This breach exposed a large amount of sensitive customer information, including names, physical addresses, email addresses, and phone numbers. The breach did not include the actual location data of Tile devices, which would have been even more compromising. However, it is still a severe incident demonstrating the risks associated with internal tools and the potential for these tools to be exploited by hackers.

The hacker responsible for the breach gained access to several internal tools used by Tile employees, one of which processes location data requests for law enforcement. This access was reportedly obtained using login credentials that belonged to a former Tile employee. The hacker claimed to have had extensive access to the company's systems, which enabled them to collect the sensitive customer information mentioned.

The compromised tools included one that could initiate data access, another for location history, and one specifically designed for processing law enforcement data requests. Additionally, there were administrative tools for transferring Tile ownership between email addresses, creating administrative users, and sending push notifications to Tile users. Screenshots of these tools provided by the hacker confirmed their capabilities. One notable aspect of this incident is the potential misuse of tools meant for internal company use, which can be leveraged to gather sensitive information when accessed by unauthorized individuals.

The incident illustrates the inherent vulnerabilities in internal tools that are supposed to be used exclusively by company personnel. It also highlights the attractiveness of such companies to hackers, especially those that track individuals’ locations. The hacker in this case claimed to have demanded payment from Tile but did not receive a response.

Tile sells various tracking devices that can be located through the accompanying app. The company was acquired by Life360, another location data-focused company, in November 2021. The hacker explained that they had obtained login credentials for a Tile system believed to have belonged to a former Tile employee. One of the tools specifically indicated it could be used to “initiate data access, location, or law enforcement requests.” Users could look up Tile customers by their phone number or another identifier, according to screenshots.

This breach is a part of a broader pattern where hackers target tools used by tech companies to provide data to law enforcement or manage internal operations. In recent years, hackers have repeatedly compromised such tools, either gaining direct access or manipulating insiders to use the tools for malicious purposes. In some instances, hackers have even installed malware within companies to remotely control employee tools. Additionally, hackers sometimes compromise email accounts used by police or other government officials and then use those accounts to request sensitive data from tech companies, posing as law enforcement officers. This tactic has been used against major companies like Facebook, TikTok, and Apple.

The implications of the Tile data breach are profound. The exposure of personal data, even without location information, can lead to various forms of cybercrime, including identity theft and phishing attacks. The incident underscores the necessity of securing internal tools and systems, ensuring that only authorized personnel have access, and implementing robust authentication measures. The use of credentials from a former employee points to a significant lapse in revoking access rights after an employee leaves the company, highlighting the importance of promptly updating access controls.

In response to such incidents, companies must strengthen their access controls, ensuring that sensitive tools and data are strictly controlled and regularly audited. Multi-factor authentication (MFA) should be used to enhance security further. Access rights for employees who leave the company should be promptly revoked to prevent unauthorized access. Monitoring systems should be implemented to detect unusual activity, such as multiple failed login attempts or access from unfamiliar locations, and alert the security team accordingly.

Regular training for employees on security best practices is essential, including the importance of safeguarding their credentials and recognizing phishing attempts. Additionally, companies should develop and maintain a robust incident response plan to quickly address data breaches and mitigate their impact.

This breach at Tile is part of a larger trend where hackers target internal tools used by tech companies for various purposes, including data requests for law enforcement. Similar incidents have occurred at other major companies, such as Twitter and Roblox. In these cases, hackers have either gained direct access to internal tools or compromised email accounts used by law enforcement to request sensitive data under false pretenses.

Overall, the Tile data breach underscores the critical need for stringent security measures to protect internal tools and sensitive customer data. As companies continue to digitize their operations and collect vast amounts of data, ensuring the security and integrity of internal systems becomes increasingly important. By implementing robust access controls, monitoring systems, and employee training programs, companies can better safeguard against breaches and protect their customers' data. This incident serves as a stark reminder of the vulnerabilities that exist within internal systems and the need for continuous vigilance and improvement in security practices.