News Heading

Millions of Duolingo Users’ Data Available for Sale on Hacking Forum

Reading time: 2 min

Updated on Aug 28, 2023

  • Shipra Sanganeria

    Written by: Shipra Sanganeria Cybersecurity & Tech Writer

Duolingo, a popular language learning app saw around 2.6 million users’ scrapped data leaked on a hacking forum. The compromised data included a user’s email address, phone numbers, real and login names, as well as information related to availed Duolingo services.

The app which boasts of more than 74 million users, stated in January this year that it was investigating the leak, when samples of user information was posted on the now defunct hacking forum, Breached for $1,500.

According to the company’s initial statement, the attackers have not breached its systems, rather the information was obtained from public sources. Nevertheless, the availability of leaked email addresses is concerning as it exposes the compromised individuals to phishing and social engineering attacks.

‘’No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners,” the company’s spokesperson stated.

First spotted and revealed by VX-Underground on social platform X, the leaked dataset was available for sale on the new version of the Breached hacking forum for as little as $2.13.

Using an exposed application programming interface (API) which was first identified in March 2023, the attackers had managed to obtain the information. By exploiting the API, an attacker only needs to feed in the target’s email address or username to obtain the JSON file containing public information matching with the submitted usernames.

Although the abuse of this API was reported by Duolingo and other cybersecurity researchers earlier this year, it still continues to be freely available on the web.

According to security researchers, scrapped data containing public information is not too dangerous. However, when mixed with private, sensitive information, the data can be a potent weapon in the hands of threat actors, especially when carrying out phishing attacks.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Show more...