Duolingo Suffers Massive Data Breach; Scrapped Data Lands on Hacking Forum
With cybersecurity crimes on the rise, it has become significantly important for organizations to employ stringent data protection measures to ensure the security and privacy of user data. However, no matter how careful organizations are, bad actors find some way or the other to breach security to extract sensitive data. Just last week, a third-party companion app for Discord,Discord.io suffered a data breach, which resulted in its temporary closure. And now, the popular language learning app, Duolingo has fallen victim to a data breach. Keep reading to know what Duolingo data the hackers have access to and what the company is doing about it.
Duolingo Users Data Leaked Online
As per an X post (previously tweet)made by @vx-underground, a threat actor extracted 2.6 million scraped Duolingo user data and posted it on a new version of the popular hacking forum Breached. The breach was confirmed byBleepingComputerin arecent blog post. And the worst part is, this data has been made available on the forum for 8 site credits, worth only $2.13, which is practically nothing.
This data was collected bymanipulating anexisting bug in the Duolingo APIthat allowed the bad actor to gain personal user details like their email ID, contact details, addresses, and much more, by sending a valid email to the API.A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied).They used an email list to assemble over 2.6m unique entries.This will be used for doxxing.— vx-underground (@vxunderground)August 21, 2023
A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied).They used an email list to assemble over 2.6m unique entries.This will be used for doxxing.— vx-underground (@vxunderground)August 21, 2023
The hacker was able to verify active Duolingo users by feeding millions of email addresses to the vulnerable API. The verified email IDs were then used by the hacker to create a dataset containing both public and non-public information. Alternatively, it is also possible tofeed a username to the API to retrieve JSON output, containing sensitive user data.
However, this is not the first time this data has appeared online. Back in January,Falcon Feedsbrought light to this issue via an X post. The scraped database was posted on the older version of the Breached hacking forum for$1,500.The exposed data contained personal information of users like their email addresses, phone numbers, pictures, privacy settings, and much more.
Duolingo acknowledged this issue toTheRecordback then and assured everyone that it wasinvestigating the matter. However, the platform somehow missed the fact that private information like email addresses was also part of the scrapped data.The DuoLingo database (scraped) has been listed for sale in a hacker’s forum. According to the user, the claimed data contains 2.6 million account entries.#databreach#cyberriskpic.twitter.com/7jttRnncpM— FalconFeedsio (@FalconFeedsio)January 24, 2023
The DuoLingo database (scraped) has been listed for sale in a hacker’s forum. According to the user, the claimed data contains 2.6 million account entries.#databreach#cyberriskpic.twitter.com/7jttRnncpM— FalconFeedsio (@FalconFeedsio)January 24, 2023
Now, the most concerning part about this issue is that theinfected API is still openly availableto everyone on the web even tho this issue caught Duolingo’s attention back in January. And sadly enough, this is not surprising. Companies often tend to neglect their scraped data since it mostly contains already public information and is not the easiest to compile to pose any credible threat.
However, in the case of Duolingo, thisscraped data also contained sensitive user information, not available publically. As of now, we can only wait for Duolingo to resolve this issue on a priority basis. And in case your data is among those leaked, the most you can do is change your credentials and/ or delete your Duolingo account.
Siddhartha Samaddar
A curious being who is fascinated by the world of tech and literature alike. Always in the lookout for the “next big thing” in software. In my free time you can find me either trying my hand at gaming or daydreaming about my “ideal gaming setup.”
Add new comment
Name
Email ID
Δ
01
02
03
