Truecaller India 2019 Data Breach

Truecaller India Caller-ID Data Compilation (2019): ~47.5M Indian Records (Phone, Email, Carrier, Facebook ID) Sold - Truecaller Denies a System Breach

Platform · Caller identification and spam blocking · Mobile identity and communication app · Global

Truecaller India Caller-ID Data Compilation (2019): ~47.5M Indian Records (Phone, Email, Carrier, Facebook ID) Sold - Truecaller Denies a System Breach

Caller ID and spam blocking app.

Compilation · ObscureIQ Intelligence
Breach Risk Index i
41/100
Lower riskHigher risk
Moderate: notable exposure with meaningful misuse potential.
Data Sensitivity i
Standard
Exposed data is largely lower-sensitivity. Standard identity-protection precautions are advised.
42.7MRecords
2019Year

The Breach Risk Index (BRI) is a proprietary 0–100 score rating how dangerous a breach is right now, based on how recently the data has been circulating on the dark web and how valuable it is to attackers.

Classification Tags
Data & IdentityData BrokersThird Party2019

Breach Summary

In 2019, a dataset covering approximately 47.5 million Indian Truecaller users (this record reflects ~42.7M) was advertised for sale on the dark web for about $1,000. The data reportedly included phone numbers, names, email addresses, gender, mobile carrier, and Facebook IDs. Truecaller denied any breach of its systems and said the data had likely been compiled from multiple phone-number databases and mislabeled as Truecaller; independent researchers found no evidence of a Truecaller hack. It is best characterized as a compiled/aggregated dataset of disputed origin rather than a confirmed Truecaller breach.

Full threat analysis, exploitation vectors, and principal guidance below.

10 additional sections · verified field analysis · defensive doctrine

Querying breach corpus…
Cross-referencing exposed field types…
Resolving threat-actor attribution…
Compiling principal risk advisory…

42.7M records analyzed

About Truecaller India

Truecaller is a caller-identification, spam-blocking, and contact app (developed by Sweden-based Truecaller AB) with especially large adoption in India. It aggregates phone numbers and names, largely from crowdsourced address books, to provide caller ID.

Why They Hold Your Data

Caller ID and spam-blocking platforms aggregate phone numbers, contact names, device identifiers, call metadata, and crowd-sourced identity labels to map real-world identities to phone numbers at scale.

Recent Developments

In 2019, a dataset of ~47.5 million Indian Truecaller users was offered for sale on the dark web (for about $1,000). Truecaller denied any breach of its systems, stating its databases were secure and that bad actors had likely compiled multiple phone-number databases and labeled the result "Truecaller." Researchers found no evidence of a Truecaller hack.

Data Points Exposed

6 verified field types
Email Address
Full Name
Gender
Mobile Carrier
Phone Number
Social Media Profile

Breach Impact

The circulating dataset ties phone numbers to names, emails, carriers, gender, and Facebook IDs for tens of millions of Indian users, enabling large-scale phishing/smishing, SIM-swap targeting, and identity enrichment. Because Truecaller disputes a system breach, the data is best understood as a compiled/aggregated dataset attributed to Truecaller rather than an exfiltration from Truecaller itself.

Exploitation & Downstream Threats

• Large-scale phishing and smishing using phone + name + email | • SIM-swap targeting using phone + carrier data | • Identity enrichment linking phone, email, and Facebook ID | • Targeted scams against Indian mobile users

Principal Risk Advisory

What this means for a principal

A data-broker/identity breach: aggregated identity attributes re-seed broker networks and enrich targeting of the individual. For a high-profile principal the main risk is credible impersonation and enrichment of existing exposure.

What You Should Do

  1. Guard against SIM-swap and vishing: add a carrier port-out PIN and verify any 'support' calls independently.
  2. Do not use unofficial 'am I affected' lookups; several are themselves harvesting operations.

How ObscureIQ Can Help

  1. Corpus confirmation: determine whether and where the principal (plus household and staff) appear in this dataset and which specific fields are exposed for them.
  2. Exposure mapping and footprint neutralization: cross-reference against broker-available data and suppress still-removable elements, prioritizing address and phone, since this record re-seeds broker networks.
  3. ThreatWatch tuned to this incident's identifiers and misuse pattern (impersonation and targeting patterns, not generic credential monitoring).

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation