The data is being sold for $1,000 but Truecaller has denied the breach.
One such case of the latter has been observed recently by researchers at Cyble when the data of 47.5 million Indian users was apparently leaked on the dark web allegedly originated from the famous caller-ID app, Truecaller.
It is worth noting that TrueCaller has over 100 million active daily users in India and for the last couple of years an alleged TrueCaller database with data on Indian users has already been circulated on the Internet.
However, as for the recent one; the database has been leaked by a hacker going by the online handle of “TooGod.” The data is well organized containing a range of sensitive records including but not limited to:
- Full names
- Email addresses
- Mobile numbers
- Network carrier
- Facebook IDs
However, in response, the company has stated there was no such breach and the records are being wrongly attributed to them. They elaborated on their reasoning stating that,
“We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before.”
The data is currently available for sale for a sum of $1000 which equates to approximately INR 75000.
Commenting on why Truecaller believes that it has been targeted in this particular case, the firm said in a statement,
It’s easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell.
This, no doubt, does make sense with Cyble researchers also stating that the data appear to be originating from a 2019 breach which ironically was also attributed to Truecaller but the company rejected any database breach even back then. With that, we now have a situation where the origin of 2 database breaches is unknown.
It is from the same leak as here – https://t.co/Axsw3jamKZ. Would you like to share more information based on your previous comment i.e. "We believe that it is possible that some malicious users have been abusing their Truecaller account in contravention of our.."
— Cyble (@AuCyble) May 27, 2020
One hint at what may have happened is that a vulnerable third party API could have scrapped Truecaller’s data without the firm knowing. Just like in a recent case where Hackread.com exclusively reported on a hacker selling 500 million Facebook user data from 82 countries.
To conclude, regardless of its origin, the data can be used for a range of malicious purposes such as dedicated phishing campaigns and spamming users. The best way for users to avoid such incidents is to limit the amount of information they share with any website or application.
Further, for the future, it is expected that Truecaller will take a more reconciliatory approach with cybersecurity researchers in order to address potential security flaws that their application may have.