The scraped data of 2.6 million users of the popular language learning app Duolingo is available for sale on a hacking forum.
The leaked data includes the email addresses, names, and profile pictures of 2.6 million people, which can be exploited by threat actors to perform targeted phishing attacks.
While the leaked data includes a combination of public login and real names, which are publicly available as part of a user’s Duolingo profile, it also includes email addresses and internal information related to the Duolingo service that is not publicly available. This has raised concerns, as this could make users vulnerable to phishing attacks through email.
For those unaware, the scraped information of 2.6 million customer accounts first went on sale for $1,500 on a now-defunct hacking forum, Breached, in January 2023.
Back then, the hacker, in a post on the hacking forum, said they got the information from scraping an exposed application programming interface (API) and also provided a sample of data from 1,000 accounts.
“I am selling 2.6 million Duolingo account entries that were scraped from an exposed API. Starting price is $1,500 USD, but the price can be negotiated,” read the post on the hacking forum.
When Duolingo became aware of the incident, they confirmed to TheRecord that it was scraped from public profile information, but no data breach or hack had occurred.
They added that an internal investigation was underway to find out the need for additional security measures.
However, they did not mention the fact that private email addresses, which are not public, were also part of the exposed data.
Recently, the scraped 2.6 million user dataset with all information was released on a new version of the Breached hacking forum for 8 site credits, worth only $2.13, which was first spotted by VX-Underground.
“Hello BreachForums Community, Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!” reads a post on the hacking forum.
This data was scraped by exploiting the vulnerability in Duolingo’s exposed application programming interface (API), which allows anyone to submit a username and retrieve a JSON output comprising of user’s public profile information (name, email, languages studied).
The exposed API has been circulated openly and known since at least March 2023. Also, researchers have been tweeting and publicly documenting how to use the API.
According to Vx-underground, hackers can easily exploit this flaw by submitting an email address into the API to confirm if it is related to a valid Duolingo account. They warn that the leaked data could be used for doxxing and may also lead to targeted phishing attacks.
BleepingComputer has confirmed that the API is still publicly available despite Duolingo being notified of its being open in January 2023. DuoLingo has yet to reply as to why the API is still open.
Duolingo, one of the world’s most popular and largest language learning sites in the world, has over 500 million registered users with over 74 million monthly active users.