The Syrian Electronic Army has claimed to have hacked Truecaller, a collaborative phone directory, exposing millions of phone records majority of which is from India.
The hackers have managed to get their hands on a number of databases including the main database that represents 450GB of data, E Hacking News reports.
The website claims that the hackers were able to exploit a hole in the service since it was using an outdated version of blogging software WordPress for its web interface.
We have sent an email to Truecaller for some clarification on the news and will update this post as soon as we hear from them. The Truecaller statement confirming the attack is below.
Last month, Truecaller announced that it had more than 20 million users worldwide who were conducting over half a billion name and number searches each month. In March, the company had said that it had over 1 million users from India. That number has probably more than doubled now. We still don’t know exactly how many accounts were breached.
The hackers also tweeted a screen shot of the database and posted the login credentials for the site’s database on Twitter.
The hackers also claim to have data of over a million users with their Facebook, Twitter, LinkedIn and Gmail accounts.
The Truecaller website was pulled offline for a while but is operational now.
Truecaller asks users before it uploads phonebooks to its servers and adds this to a database which would let the TrueCaller app display the name of a caller, even if it is not saved in their phone books.
A couple of weeks ago, Truecaller had partnered with Innoz to offer users the ability to trace any number with just an SMS.
How to: Unlist Yourself from Truecaller
The likelihood of your number being listed on Truecaller is very high because many users have chosen to share their phone book with it. So if you are someone who is concerned with privacy you could unlist yourself by going to the Truecaller website and entering your phone number which will remove it from the directories instantly and permanently (hopefully).
Given the chances that this might happen again we recommend you uninstall the app and also make sure that you delist your number on the Truecaller servers.
Update: Truecaller Confirms Cyberattack
Truecaller has now confirmed the hacking of the website on it blog:
Truecaller experienced a cyberattack on our website that resulted in an unauthorized access to some data. We were able to shut it down moments after we discovered it. Our investigation into the matter indicates the attackers were able to access ‘tokens’, which was immediately reset. Metaphorically speaking, a ‘token’ is a unique lock for each user, but what the attackers did not acquire is the needed key, which has also been reset.
Truecaller does not store passwords, credit card information, or any other sensitive information about our users. It is false information that attackers were able to access our user’s Facebook, Twitter, or any other social media passwords.