BENGALURU: Data from caller identity app Truecaller, including names, phone numbers and email addresses of users worldwide, is available for sale on private internet fora, according to a cybersecurity analyst who monitors such transactions.
Data of Indian users, who make up 60-70% of Truecaller’s global user base of nearly 140 million, is being sold for about Rs 1.5 lakh (€2,000) on the so-called dark web, the person said. Data of global users is priced as high as €25,000.
The app, which also offers payment services through the Unified Payments Interface (UPI) to its Indian users, denied any breach of its database. However, the company said it has found instances of unauthorised copying of data — termed scraping — by its own users. Truecaller also offers a premium model, where users can search for an unlimited set of numbers on the platform for a payment.
No Breach: Truecaller
“It has been recently brought to our attention that some users have been abusing their accounts,” a representative for Truecaller said in a statement. “In light of this event, we would like to strongly confirm at this stage that no sensitive user information has been accessed or extracted, especially our users’ financial or payment details,” the spokesperson said in reply to queries from ET.
ET reviewed a sample data set that was on sale and found it contained personal identifiers as well as users’ state of residence and mobile service provider. A search of random numbers on the Truecaller app threw up results that matched the data shared with ET by the analyst.
“The team has been investigating the matter and has found that a very large percentage of the sample data does not match or is not Truecaller data,” the Swedish company said.
Earlier this year, Truecaller said it had begun investigations into user accounts suspected of having abused access to its platform. It has now set daily limits on the number of searches by a user. “We would like to reinforce that this was not an attack on our database, as data stored on our servers is highly secured. We take the privacy of our users and the integrity of our services extremely seriously. As we investigate, we will continuously implement new protocols to prevent any future attempts,” Truecaller said.
Cyber experts are of the view that such a large chunk of data could only be accessed by breaching the database of Truecaller. “It is not only this data, there is data available from multiple financial institutions. Organisations should take precautions, monitor the dark web and protect customer data,” said J Prasanna of Cyber Security & Privacy Foundation, a Singapore-based company.
In 2016, the Swedish company had to fix a vulnerability in its app after researchers found it had inadvertently leaked user data.
Source: Economic Times