Truecaller suddenly became the hottest topic in the dark web as a trove of personal data belonging to 4.75 crore Indians was put on sale for a measly price. The criminals who put the data on sale claimed it was of Truecaller users in order to add credibility as the app is widely used in the country to identify unknown callers.
The compromised personal data was detected by Cyble, a U.S.-based cyber intelligence firm founded by global cybersecurity expert Beenu Arora. The firm studied the leaked data and found that it belonged to users from various Indian states, including Maharashtra, Bihar, Andhra Pradesh, Delhi, Haryana, Madhya Pradesh, North East India, Odisha and Punjab.
What was leaked and for how much?
The firm identified that the leaked details of 4.75 crore Indians included phone numbers, names, genders, locations, email IDs and Facebook profile information. All this information, which is considered a goldmine for bad actors, is available for just $1,000 or about Rs 75,000.
Given the extent of ways the data can be misused, it is shocking that the data is available for such a low price. But as Arora pointed out, the cybercriminal who goes by the name TooGod on the dark web is not in it for the money but to expand his presence.
What's at risk?
Any amount of data can be misused by bad actors in many ways. From identity theft to phishing attacks and more, cybercriminals can carry out numerous types of crimes. Even though the Indians central and state cybercrime agencies are investigating into the matter, users who think they are exposed can register themselves on AmiBreached.com to ascertain their exposure.
If your personal data is exposed, there's not much you can do except in some cases change your phone number, email IDs to avoid falling prey to phishing attacks. If the security firm is to be believed, Truecaller users are the only ones affected by this data leak.
Truecaller questions credibility
Since the cybersecurity firm is claiming the data belongs to users of Truecaller app, we reached out to the popular caller ID app for clarity. Not only Truecaller denied of any breach in its database, it also said the hacker might have used Truecaller label to add some credibility to the data.
There has been no breach of our database and all our user information is secure. We take the privacy of our users and the integrity of our services extremely seriously and we are continuously monitoring for suspicious activities. We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before. It's easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell. We urge the public and users not to fall prey to such bad actors whose primary motive is to swindle the people of their money," Truecaller said in a statement.