According to a security researcher, there is no way to verify if the ‘Truecaller data’ being sold on the Dark Web was sourced from Truecaller. Earlier, a report from online intelligence firm Cyble claimed Truecaller data of 4.75 crore Indians were at risk.
There is no way to know if the data was completely fetched from Truecaller
“There is no way to verify if the data was completely fetched from Truecaller,” security researcher Ehraz Ahmed told TheWindowsClub. “Anyone can forge the information using other Truecaller alternatives and their APIs to fetch private data and sell it on the Dark Web.”
Meanwhile, Truecaller also maintains no breach has ever taken place and the data leak being reported is about a similar sale from May 2019. Last year, researchers had raised similar concerns that Truecaller data was being sold by third-parties.
“What they (Cyble) have here is likely the same dataset as before,” Truecaller spokesperson told TheWindowsClub. “It’s easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it.”
According to Truecaller, the motive behind misusing its brand name is to lend credibility to the data, making it easier for ‘bad actors’ to sell on the Dark Web.
“We urge the public and users not to fall prey to such bad actors whose primary motive is to swindle the people of their money.”
In their updated report, Cyble researchers had also stated that they hadn’t been requested for a sample from the Truecaller team. When asked about it, Truecaller India’s Director of Corporate Communications Hitesh Raj Bhagat told TheWindowsClub:
“That’s absolutely not true. We have reached out to them…”
Bhagat further stressed that there’s a bug bounty program where security researchers get rewarded for their efforts and discoveries.
Truecaller is a caller ID app with more than 500 million downloads around the world. The app sees 200 million monthly active users while 75 percent of all monthly active users are from India. Truecaller also claims to be the third most-used app in India.