In a statement Thursday, the Swedish startup acknowledged a "cyberattack" but offered few details. It said that attackers retrieved tokens that -- when paired with a secret passphrase – gives third-party websites access to individuals' Facebook, Google and other social media accounts. But, Truecaller said, hackers had not obtained those much-needed keys.
Truecaller has amassed nearly a billion phone numbers in less than four years with help from its more than 20 million users, mostly in Europe and Asia. Truecaller gets information from various white pages and yellow pages services. And users on most of Truecaller's smartphone apps can upload their phone's contacts to help populate the directory. That especially helps the company get ahold of details for people with prepaid phone accounts.
Finding names by numbers is free. Searching for someone's number by names costs money. Getting access to these features requires logging in with a social media account. When Facebook or the like approves the login request, the social media network sends Truecaller a unique token. Truecaller can use it to request additional information about the user from a social network's database.
"Truecaller does not store passwords, credit card information, or any other sensitive information about our users," the company said. "It is false information that attackers were able to access our user's (sic) Facebook, Twitter, or any other social media passwords."
Asked if he could provide more clarification, Truecaller spokesman Kim Fai Kok said in an email, "It's our responsibility to inform our users and the public as soon as we've investigated this matter."
Though the company would not confirm if hackers breached the site via a Wordpress installation, the incident serves as a reminder to quickly update applications. Wordpress' month-old security release fixes several notable vulnerabilities that could give attackers access to a website's internals.