Cybersecurity research firm Cyble reported that unknown hackers are selling personal information of 47.5 million Indian users of Truecaller, a caller-identification app, on darknet forums for $1,000. The leaked data included details like users’ phone number, name, gender, city, carrier, email ID, Facebook account, and telco details.
In its primary analysis report, Cyble stated that the users’ personal details were kept on dark web forums in a categorized format based on state, cities, and telecom carriers. It also found that the exposed data is from 2019. Cyble said that such leaked data might impact users in India via spam, phishing scams, and identity theft attacks.
“We were sceptical, but considering we have a large number of subscribers and enterprises in India, we decided to go ahead with the validation stage. And soon we realized that we didn’t make a wrong decision,” Cyble researchers said.
On the flipside, Truecaller denied the data breach allegations claimed by Cyble. “We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before. It’s easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell,” Truecaller said in a media statement.
The Swedish caller identity app is popular among the Indian users. The app provides a set of features to smartphone users including call-blocking, flash-messaging, caller-identification, call-recording, and Chat & Voice services.
Vulnerabilities in Truecaller App
Earlier, researchers discovered a security flaw in the Truecaller app that could expose sensitive users’ data, location, and system information to attackers. The flaw came to light after an India-based security researcher Ehraz Ahmed reported the issue. In a video post, the researcher described how a malicious link can be injected as a profile URL to potentially target attacks on users clicking on the profile. According to Ahmed, the malicious script will get executed without user consent. “The flaw could allow attackers to mount serious attacks on target machines, although this was not the scope of the proof of concept and has been played down by the company,” Ahmed said in a statement.