Data from caller identity app Truecaller, including names, phone numbers and email addresses of users worldwide is available for sale on private internet forums, according to a cyber security analyst who monitors such transactions.Data of Indian users, who make up 60-70% of Truecaller’s user base of about 140 million, is being sold for about Rs 1.5 lakh (2000 Euros) on the so-called dark web, the source said, while data of global users is priced as high as 25000 Euros.
The popular smartphone app that also offers payment services through the Unified Payment Interface (UPI) to its Indian users denied any breach of its database by hackers. However, the Stockholm-based company said it has found instances of unauthorized copying of data, termed scraping, by its own users. Truecaller also offers a premium model where paying subscribers can search for an unlimited set of numbers on the platform.
“It has been recently brought to our attention that some users have been abusing their accounts,’ a representative for Truecaller said in a statement. “In light of this event, we would like to strongly confirm at this stage that there has been no sensitive user information being accessed or extracted, especially our users financial or payment details,” the spokesperson said in reply to queries from ET.
ET reviewed a sample dataset that was on sale and found that it contains personal identifiers as well as the state of residence and users’ mobile service providers. A search of random numbers on the Truecaller app threw up results that matched with the data shared with ET by the analyst cited above.“The team has been investigating the matter and has found a very large percentage of the sample data does not match or is not Truecaller data,” the Swedish company said.
Earlier this year, Truecaller said it began investigations into user accounts suspected of having abused access to its platform, and has already set daily limits on the number of searches by any user account. “We would like to reinforce that this was not an attack on our database, as data stored on our servers is highly secured. We take the privacy of our users and the integrity of our services, extremely seriously. As we investigate, we will continuously implement new protocols to prevent any future attempts” Truecaller said.
Cyber experts are of the view that such a large chunk of data could only be accessed by breaching the database of Truecaller. “It is not only this data, there is data available from multiple financial institutions. Organisations should take precautions, monitor the dark web and protect their customer data,” said J Prasanna, Cyber Security and Privacy Foundation Pte LTD, a Singapore-based company.
In 2016, the Swedish caller ID service had to fix a vulnerability in its app after researchers found that it leaked user data inadvertently.