DuoLingo Data Drama: 2.6M Users at Risk
No attachments for this post
DuoLingo, boasting over 74 million monthly users, found itself in hot water recently. In January 2023, a seller on the Breached hacking forum, which has since been shut down, offered data on 2.6 million DuoLingo users for $1,500. This data set, which originally appeared to be mere public profiles, also shockingly included email addresses—a valuable asset for cyberattacks.
Interestingly, while DuoLingo acknowledged the issue when the data was first put up for sale, they sidestepped concerns about the non-public emails being part of the dataset.
Later, on a revived Breached forum, the same dataset was sold for a mere 8 site credits ($2.13). The hacker's cheerful message accompanying the sale read, "Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!"
The origin of this leak? An exposed API, public since March 2023. This API doesn’t just display public profile info; when fed an email address, it verifies its association with a DuoLingo account. This loophole allowed hackers to confirm millions of emails from previous breaches, blending public and private data for their malicious dataset.
Despite the API's abuse being flagged to DuoLingo in January, it remains accessible. Furthermore, another hacker shared a tactic, highlighting valuable accounts for phishing attempts.
DuoLingo's silence on the API's continued public status raises eyebrows. BleepingComputer reached out but received no response at the time of writing.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.