Private data of users of caller ID and UPI payments app Truecaller – including names, phone numbers and email addresses – is available for purchase on the so-called dark web, reports the Economic Times, citing an unnamed cyber security analyst. The report said the data of Indian users was being sold for about €2,000 (approx Rs 1.55 lakh), while that of global users was priced as high as €25,000 (approx Rs 19.5 lakh) on the dark web, which is a part the web that requires special software to access, and allows users to remain untraceable. ET said it had reviewed a sample data set that was on sale and found it contained personal data of users, which it verified against data from the Truecaller app itself. It’s worth noting that 100 million or 77% of Truecaller’s 130 million worldwide daily active users are in India.

In a statement to MediaNama, a Truecaller spokesperson denied that the company’s database had been breached but said it was possible that some malicious users had been abusing their Truecaller accounts to collect phone numbers in violation of the company’s terms of service. It said the data set that ET had shared with it contained fields that its users make available for search in the app, and did not come from its own database. “The majority of the data that we analysed did not match our systems,” the spokesperson said.

The company also said it had strict search limits and other precautionary measures in place to prevent users from compiling mini-databases through searches on Truecaller. “If we identify any third party that is responsible, we will not hesitate to take such action as may be necessary to enforce and protect the rights of our users and Truecaller,” the spokesperson said.

In January, Truecaller had said all of its Indian user data, including payments data, was stored In India “to ensure that the data of its Indian users remains secured and to provide faster and more reliable services”.

Recent data breaches: Justdial, Amazon India, Marriot and Facebook

  • In April, Justdial suffered a data breach that leaked the data of more than 100 million users, including name, email, mobile number, gender, date of birth, photo, company and occupation. More than 70% of the data belonged to users who had called Justdial’s “8888888888” number but the data of unregistered users may also have been leaked.
  • Amazon India faced a data breach in January in which sellers’ data from their merchant tax reports was exposed to other sellers. The breach came to light when sellers logged on to Amazon to download their monthly merchant tax reports, which had information such as sales volume across categories, orders processed, and inventory.
  • In December, hackers accessed upto 500 million customer records in Marriot Hotels’ Starwood reservation system in an attack which began four years previously, The exposed data included payment details and account information among other things.
  • Facebook said in September that between 50 million and 90 million users were affected by a security breach involving its ‘View As’ feature. The company said the vulnerability had been undiscovered for a year.