Personal data of 47.5 million Indians — including their phone number, service provider, name, gender, city, email, and Facebook ID, among other things — claimed to be sourced from caller ID app Truecaller is available for sale on the dark web for $1,000 (₹75,000), cybersecurity firm Cyble said. Truecaller, in a statement to MediaNama, however, denied any breach of its database. A Truecaller spokesperson said:
“There has been no breach of our database and all our user information is secure. We take the privacy of our users and the integrity of our services extremely seriously and we are continuously monitoring for suspicious activities. We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before. It’s easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell. We urge the public and users not to fall prey to such bad actors whose primary motive is to swindle the people of their money.”
Cyble said that the data is from 2019, and as a part of its preliminary analysis, it noticed that the information was quite well organised by state, cities and carrier. According to a screenshot shared by the company, the data was categorised into states including Delhi, Maharashtra, and Haryana, and an entire demography such as North East. Cyble said that the person who uploaded the database has also published another database which has 600 million records, mostly related to China.
In May 2019, a report by the Economic Times had said that data of Indian users of Truecaller was available for sale on the dark web for about Rs 1.5 lakh. ET had also reviewed a sample data set that was on sale and found it contained personal identifiers as well as users’ state of residence and mobile service provider. Truecaller had denied any breach of its database then as well.
Last week, Cyble discovered leaked personal details of about 29 million Indian job seekers, including sensitive information such as their email, phone, home address, qualification, and work experience, on the dark web. The company had also discovered almost 2,000 compromised Aadhaar cards, and information on 1.8 million people from Madhya Pradesh in a similar forum.