Update: TrueCaller has confirmed that their website was being hacked. However, it claims that TrueCaller does not store passwords, credit card information, or any other sensitive information. It has denied has that attackers were able to access TrueCaller user’s Facebook, Twitter, or any other social media passwords.
July 18, 2013: Sweden-based global phone directory service TrueCaller‘s database has been hacked by Syrian Electronic Army hackers compromising on millions of phone book records available in their database, reports thehackernews. Medianama is not in a position to verify this claim. We have contacted Truecaller for a confirmation and would update the article once we receive a response.
This was first reported by ehackingnews.
According to the report, Truecaller’s website was based on an outdated version of blogging software WordPress V3.5.1. It saved phonebook records uploaded by Truecaller users to this database. Hackers seemed to have downloaded more than 7 databases of 450GB in size from Truecaller servers. At the time of writing this article it’s not clear whether the entire database has been stolen or only partial. The database also apparently contains access codes to user’s Facebook, Twitter, Gmail, and LinkedIn accounts, allowing hackers to submit an update from Truecaller users account who have connected these networks to their account, as per the report. We advise users to immediately remove Truecaller from giving access to Truecaller service.
Besides stealing the database, the hackers also posted admin login credentials to Truecaller’s database on Twitter. At the time of writing this article the database was not accessible, however, we can’t rule out the possibility of database reaching in wrong hands.
— SyrianElectronicArmy (@Official_SEA12) July 17, 2013
TrueCaller allows users to look up for anonymous mobile and landline numbers on the web or on their Internet-enabled mobile phone and browse through contact information of the owner of that mobile or landline number. Besides this, it also allows users to view caller ID information of the current caller, block unwanted calls and connect their Facebook or LinkedIn account to view the latest messages from their connections. The service is currently available as a web app and offers free mobile apps for iOS, Android, Symbian (S60 / S40), BlackBerry and Windows Phone platforms.
The issue with the app is that a person is not in control if their number is being shared on the service by one of their contact. While the service does offer an option to unlist a number, we are not sure how many people are aware that their number is already shared on the service and then go about unlisting their number on the service. Besides that, it’s also unclear whether Truecaller actually deletes all records from their database after one delists their numbers. From their FAQ:
“For the respect of your security, your number will be immediately and permanently removed from any search result. You cannot submit your number again. Please go to http://www.truecaller.com/unlist to unlist your number permanently.”
While it states that it removes one’s number from search results it’s not apparent that the records are permanently deleted. So even if one has unlisted their number, we are not quite sure whether their data has been compromised as it might still be stored in Truecaller’s servers.
Last month, Truecaller had claimed to have clocked 20 million users globally last month, up from 10 million users in January 2013. Truecaller had previously claimed that majority of its users are from India, although it hadn’t disclosed any specific information on its Indian user base. An ET report suggests that the company had 1.6 million users in India as of June 2012 and accounted for half of the company’s userbase. Also note that, these 1.6 million users that the report suggests are the ones that use the application, which means that the actual number of phone book records from India on Truecaller’s servers could be much higher.