Truecaller user data for sale? Company says investigating "illegal activity"

Truecaller, which has over 100 million DAUs in India, says there is no data breach from its side. However, some users have been "abusing their accounts" lately.

Only a day after reports surfaced that the private data of millions of Instagram influencers had been compromised, caller identification app Truecaller has come under scrutiny for the same.

Cybersecurity analysts claim that Truecaller data, which includes names, email addresses, phone numbers, and even locations of some users, is available for sale in the dark web. Prices start as high as Rs 1.5 lakh (about 2,000 Euros) for datasets of Indian users - who constitute nearly two-thirds of Truecaller's worldwide user base (250 million). This includes 500,000 premium subscribers.

Truecaller, however, denies any data breach, but admits that some of its users have been "abusing their accounts" in "illegal" ways.

In a statement to YourStory on Wednesday, the company said,

"We would like to strongly confirm at this stage that there is no sensitive information being accessed or extracted, especially users' financial/payment details... However, we believe some users have been abusing their Truecaller accounts on our website for a period of time to search for numbers. This is an illegal activity and we condemn it. We are investigating this and will be taking appropriate action against such entities."

Sweden-based Truecaller counts over a 100 million daily active users in India, and has consistently ranked among the country's top five most-downloaded apps. From a mere phone number search and caller ID application, it has now evolved into a full-blown social, communications, and payments platform.

In 2017, it rolled out an a UPI-based payments service, Truecaller Pay, for Indian users. The company also revealed that every 10th active user in India had linked their bank account to Truecaller Pay.

Despite Indian users' increasing dependence on Truecaller services, the platform has been plagued by security and privacy concerns. In December 2017, the Indian Army dubbed Truecaller as "spyware" or "malicious ware" and demanded its personnel delete the app from their phones with immediate effect. Later, however, the army took Truecaller off its list of suspicious apps.

Earlier in 2019, Truecaller began storing Indian consumer data in local servers. In light of the latest alleged data breach, the company reinforced that this was not an attack on its database, "as data stored on our servers is highly secured". "As we investigate, we will continuously implement new protocols to prevent any future attempts," it added.

Also Read: Here's Truecaller Pay’s cheat sheet as it gears up to launch credit for Indian customers