02/06: We want to express our gratitude towards CERT India for their collaborative efforts. Hence, we have handed over the samples (including other Indian-related) to them for further investigations.
28/05: The last 24 hours have been interesting for our researchers, especially when Truecaller denied any data leaks, and essentially questioned the legitimacy of it. Hence it is our responsibility to bring some facts on the table:
- The data acquired by us appears to have originated from 2019 as here – https://www.bankinfosecurity.asia/researcher-data-leaked-for-300-million-truecaller-users-a-12519
- The data was acquired from a reputed seller, and they have listed several other verified leaks in the market. That said, the credibility of the seller is undisputed from our perspective.
- We looked at certain samples, and the details matched
- Interestingly, Truecaller admitted that the data we have might be real data though (which is ambiguous). See below:
- While Truecaller has denied this leak entirely, however, to-date we haven’t been requested for a sample from their team yet – we are also surprised by how they arrived at a conclusion considering:
- They haven’t performed any validation that the data we have is the same from 2019. Yes, we did highlight on the original post that this leak is not new, and is from 2019 as below
- Their 2019 comment asserted that a malicious user may have abused their service. Reference here:
- At this point, we have no evidence whatsoever suggesting that Truecaller was hacked in 2019 or recently. There are a number of other avenues which may cause data leaks and spills such as misconfigured apps, systems, third party API etc. In 2016, the BBC reported that an investigation by Factwire, an investigative news organization, determined that Trucaller searches could be conducted on the app provider’s official website without even installing the software. There have been known issues with the app in the past.
Many of our team members are using Truecaller and like the app. We hope that they investigate these issue more seriously and work closely with the research communities. In case there are issues or legit security concerns, we trust they will take appropriate actions to mitigate the risks, and in the event of a data leak/spill, they will inform the affected parties/users.
27/05: The same actor has dropped another 600 Mn records for sale. See below:
Darkweb markets never shy on surprising Cyble’s researcher, especially when it comes to finding interesting records/information/databases in deepweb and darkweb.
The last 72 hours have been quite exciting for our researchers as they found 100s of unprotected S3 buckets from major websites, but we will leave that for another day!
Let’s go the actual topic, i.e. Truecaller. On this instance, our researchers have identified a reputable seller, who is selling 47.5 Million Indians Truecaller records for $1000. The data is from 2019. We were also taken off by surprise with such a low price point (in our opinion).
We were sceptical, but considering we have a large number of subscribers and enterprises in India, we decided to go ahead with the validation stage. And soon we realised that we didn’t make a wrong decision!
As part of our preliminary analysis, we noticed that the information was quite well organised such by state, cities and carrier. The actor must have spent a reasonable amount of time in organising this.
Looking at the information itself, it has over 47.5 million records, and it includes interesting information such as Phone Number, Carrier, Name, Gender, City, Email, Facebook ID and others. See below:
Looking at the Delhi records, here is a sample from it:
Looking at some of the Mumbai records:
Cyble researchers are progressing with their analysis, but clearly, this leak may have a potential impact on broader users in India such as spams, scams, identity thefts etc.
We will update this blog as we get more information.
Cyble has indexed this information on AmiBreached.com – Cyble’s data breach monitoring and notification platform. People who are concerned about their exposure can register on the website to ascertain their exposure.