Search This Blog

Powered by Blogger.

Blog Archive

Labels

Duolingo Data Breach: Hackers Posts Scrapped Data on Hacking Forum

The hackers gathered the data by manipulating existing vulnerabilities present in the Duolingo API, enabling access to user’s personal data.


After Discord’s data breach that resulted in its temporary halt in operations, the popular language learning app – Duolingo is facing a data breach.

An X post (previously tweeted) by user @vx-underground stated that a threat actor scraped data of over 2.6 million Duolingo users and posted it on the latest version of the hacking forum ‘Breached.’ BleepingComputer confirmed the breach in its recent post.

Apparently, the hackers gathered the data by manipulating existing vulnerabilities present in the Duolingo API, enabling access to user’s personal data, contact details, addresses, and much more, all by sending a valid email to the API.

The hackers further succeeded in finding active Duolingo users by feeding millions of email addresses to the vulnerable API. The email IDs were then used to create a dataset that contained public and non-public information. As an alternative, it is also feasible to supply a username to the API in order to obtain JSON output that contains sensitive user information.

But this is not the first time that this information has surfaced online. Falcon Feeds raised awareness of this problem via an X post in January. The scraped database was offered for sale for $1,500 on a previous iteration of the Breached hacker forum. Personal information about individuals, including email addresses, phone numbers, photographs, privacy settings, and much more, was revealed in the data.

Earlier, Duolingo had confirmed the data breach to TheRecord, assuring that it was investigating the issue. However, they did not mention that among the data was the private information of its users.

The most worrying aspect of this problem is that the corrupted API is still publicly accessible on the internet even though Duolingo first became aware of it in January. And, regrettably, this is not unexpected. Since most scraped data involves already-available information and is not the simplest to assemble into a credible threat, businesses frequently tend to ignore it.

In case of Duolingo, the breached data also involved sensitive data, that was not available publicly. While Duolingo is yet to address the issue, the most a user can do in this situation is modify their login credentials and/or delete their Duolingo accounts.     

Share it:

API Bug

Breached

Data Breach

Duolingo

Duolingo Data Breach

JSON

Personal Data

Sensitive data