A security researcher also told Inc42 that leaked database is a fake
Reports allege that Truecaller database is being sold on the dark web
Truecaller’s users in India account for 60%-70% of its total user base
Earlier today, reports surfaced that a user database of Swedish caller ID app Truecaller is being sold on internet forums on the dark web. The alleged leaked database included names, phone numbers and email addresses of some Truecaller users, which the poster claimed to have acquired through a data breach.
However, independent security researcher Rajshekhar Rajaharia told Inc42 that there is no evidence of a data breach at Truecaller, and most of the records in the data dump seem to have been acquired through other means. This database could be from the earlier data leaks in Truecaller which happened in 2013, and 2016.
“Also, the company had opened paid APIs for developers about six years back, which were shut down after a few months’ due to multiple scraping attempts by the users. The recent allegedly leaked database could be from one those scraping attempts too,” he added.
Reports have also mentioned that the database included user’s state of residence and mobile service providers. To which Rajaharia said, “State and mobile company name for any mobile number is public and also available on Wikipedia.”
Truecaller too denied the data leak reports and said, “The categories of data presented in the reports correspond to data fields that our users make available for search in our app. The majority of the data that we analyzed did not match our systems.”
“We believe that it is possible that some malicious users have been abusing their Truecaller account in contravention of our Terms of Service to collect phone numbers.” the company added. Truecaller allows phone number search on its website for free. Users can run a phone number search to extract its connected caller identity.
The company recognised the growing abuse of its service and said that it has put in place strict search limits and other precautionary security measures to prevent and minimise such abuse. “If we identify any third party that is responsible, we will not hesitate to take such action as may be necessary to enforce and protect the rights of our users and Truecaller,”the company said in a public statement.
Truecaller was founded by Alan Mamedi and Nami Zarringhalam in 2009. The app was started with a vision to build a service that could identify incoming calls from unknown numbers. In 2017, Truecaller Pay was launched in India in partnership with ICICI Bank.
Truecaller Pay allows users to instantly create a UPI ID and transfer money to any UPI ID or a mobile number registered with the BHIM app. Recently this March, the company was also reported to be planning a full spectrum of financial services with a focus on digital lending service.
Earlier Cases Of Data Leak In Truecaller
In 2013, Truecaller was reported to be running an outdated version (3.5.1) of the blogging platform WordPress, which led to the leak of millions of user records from the company’s database. The leaked record included unique access codes of Facebook, Twitter, Linkedin, and Gmail accounts of millions of users, which the hackers claimed could have been used to post updates from these compromised accounts.
Later in 2016, security researchers from the Cheetah Mobile Security Research Lab had discovered a loophole in the Swedish company’s database. This discovered vulnerability had the potential to allow anyone to gain access to Truecaller users’ information and steal personal information like account name, gender, email, profile pic, home address, etc. The hacker could have also modified user’s application settings including spam blockers, and blacklist.
Following the report of CMS Researchers, Truecaller acknowledged that there was a potential risk in their system and fixed the issue in then released app update. The company had then claimed that no user data was compromised because of this 2016 loophole.
Recently in May, India was reported as the second most cyber attacks affected country between 2016 to 2018. The average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record mounting to INR 4,552 ($64). The Reserve Bank of India too recorded a total of 2,059 cases of cyber fraud in 2017-18 as compared to 1,372 cyber fraud cases in 2016-17.