Duolingo user data that was hacked and left for sale on Breached, a now-defunct Hacker Forum in January 2023 and has now been publicly released on another hacker forum. At the time, the American language learning application confirmed to the media that it was investigating the Duolingo cyber attack. However, the Duolingo data leak of 2.6 million users with names, emails, and other data has become a huge privacy concern for its users.
Duolingo data leak and sale
Security researchers posted in January about the Duolingo data sale of 2.5 million users for a starting price of $1,500. The seller with the username ‘House’ wrote, “I am selling 2.6 million Duolingo account entries that were scraped from an exposed API,” in a dark web post dated January 24, 2023.
Data scrapping in computing involves importing information from a website to spreadsheets or other files. This could be automated using software applications and is often done by companies to fetch user data for marketing and maintaining a record of users among other purposes.
House claimed to have put the following Duolingo user data on sale –
- Name
- Phone number
- Joined classroom ID
- Streak
- Motivation
- Acquisition survey reason
- Picture
- Language selected
- Connected Facebook ID
- Beta status
- Privacy settings
The hacker forum seller placed samples of 1,000 Duolingo accounts as proof for convincing buyers.
How the education technology company responded to claims of Duolingo data sale
A spokesperson from Duolingo responded to requests for comments by The Record. They said, “These records were obtained by data scrapping public profile information… No data breach or hack has occurred.”
While they confirmed that they were investigating the Duolingo data leak claims, they denied experiencing a data breach.
House from the hacker forum mentioned exploiting a vulnerability in the Duolingo API. The Duolingo vulnerability allegedly allowed the hacker to access sensitive information.
“Pundits suspect that the threat actor fed this API email addresses leaked in previous breaches,” read a report by Laptop Mag assessing how the new user on the dark web managed to gain more user data from the exposed API.
“Next, the API likely confirmed whether the email addresses are connected with an active Duolingo account. Consequently, the threat actor had the opportunity to create a Duolingo customer data collection that features a mélange of both public and non-public information,” the Laptop Mag report explained.
The same was addressed by a security expert Troy Hunt through a service that allows checking if their information is traced to the dark web.
The same can be checked on Am I Breached, a platform offered by Cyble to check the presence of one’s information on the dark web.
A cybersecurity service Vx-underground tweeted about the Duolingo data breach and wrote that the dark web user accessed a list of email addresses to collect over 2.6 million entries. “This will be used for doxxing,” the tweet concluded analysing the further misuse of the leaked Duolingo data.
Doxing or Doxxing is publicly leaking someone’s personally identifiable information for malicious purposes. The Dox in doxing stands for documents for compiling or releasing publicly.
The data has been on sale since January this year and no action was reported to have been taken to tackle the Duolingo data leak or sale.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
