An unknown party has released the scraped data of 2.6 million DuoLingo users on a hacking forum. While they offered the data set for sale in January for $1,500, it’s now been released on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.
DuoLingo is an educational platform most famous for its language learning programs. According to a May 2023 press release, DuoLingo has 72.6 million monthly active users.
The scraped data among others contain email addresses, usernames, languages, and which language the users are learning.
screenshot courtesy of FalconFeedsio
The data were scraped from public profile information by using an exposed application programming interface (API). On March 2, a researcher called Ivano Somaini tweeted how one could take advantage of Duolingo's API to check if an email address is associated with a Duolingo account.
The API allows anyone to run a query by submitting a username or an email address to confirm if it is associated with a valid DuoLingo account. Bleeping Computer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.
Such a query by email address will result in JSON formatted data, revealing:
HaveIbeenPwnd's (HIBP) Troy Hunt explained how it is possible that practically every one of the email addresses in the DuoLingo data could already be found in the HIBP database. The email addresses the scraper used came from the big melting pot of data breach-land being used to compromise even more of our personal information. By trying millions and millions of addresses, the scraper found 2.6 million matches on DuoLingo.
Troy Hunt added:
> "I’m a Duolingo user but because I have a unique email address on every service, I’m not in there"
Even though most of the scraped data is publicly available, it gives cybercriminals yet another chance to correlate more information with a specific email address or name. Affected users should be wary of phishing emails making use of this information. For example, since you are interested in a certain language you might be more likely to fall for an email inviting you to visit a country where that language is spoken.
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.