Researcher: Data Leaked for 300 Million Truecaller UsersBut App Company Says Database Was Not Breached
A security researcher has reported that the mobile phone numbers, and in some cases, other information, of 300 million Indians that use the Truecaller caller ID app are available for sale on the dark web. But the maker of the app says its database was not breached.
See Also: Why Metadata Isn't Enough
Truecaller is developed by True Software Scandinavia AB, a privately held company in Stockholm, Sweden. The smartphone app offers its Indian users payment services through the Unified Payment Interface. Truecaller offers a premium model where paying subscribers can search for an unlimited set of numbers on the platform.
Rajshekhar Rajaharia, an independent researcher, tells Information Security Media Group that the leaked data of 300 million Indians includes mobile phone numbers and, in some cases, email addresses, photos, company names, job titles and more.
The leaked data now available for sale, Rajaharia says, includes:
- 29.9 million Indian's mobile numbers, including those of thousands of celebrities, corporate CEOs and politicians;
- 1.9 million email addresses;
- 1.8 million subscriber photos;
- 20 million Facebook IDs;
Below is a screenshot of the leaked data that is posted on the dark web.
"Truecaller's data is on sale on the dark web. Almost every second, Indian's data is available," Rajaharia tells ISMG. "I have verified the records available in the dark web. I have matched the data with those available on the dark web. which was uploaded in March. They match with the ones on Truecaller's website."
In response to a news report in the Economic Times about researcher's findings, the maker of Truecaller stated: "It has been recently brought to our attention that some users have been abusing their accounts. In light of this event, we would like to strongly confirm at this stage that there has been no sensitive user information being accessed or extracted, especially our users' financial or payment details."
A spokesperson for Truecaller, tells ISMG: "The categories of data presented to us by the Economic Times correspond to data fields that our users make available for search in our app. The majority of the data that we analyzed did not match our systems. We believe that it is possible that some malicious users have been abusing their Truecaller account in contravention of our terms of service to collect phone numbers."
The Truecaller spokesperson says the app's database was not attacked.
"Data stored on our servers is highly secure, and we confirm that no security incident took place. We take the privacy and security of the personal information of our users and the integrity of our services very seriously. As we investigate, we will continuously implement new protocols to prevent any future attempts."
The spokesperson also said that if the company identifies any third party responsible for leaking any information, "we will not hesitate to take such action as may be necessary to enforce and protect the rights of our users and Truecaller."
Other security concerns about Trucaller have been raised in recent years.
In 2013, Truecaller admitted that it had fallen victim to a cyberattack and suffered a data breach, but it said no sensitive information had been exposed.
In 2016, the BBC reported that an investigation by Factwire, an investigative news organization, determined that Trucaller searches could be conducted on the app provider's official website without even installing the software.