Popular language learning app Duolingo has recently experienced a data breach, resulting in the leakage of sensitive user data. According to reports, a threat actor managed to extract 2.6 million scraped Duolingo user data and posted it on a new version of the popular hacking forum, Breached. The breach was confirmed by BleepingComputer in a recent blog post. What’s concerning is that this data has been made available on the forum for only $2.13, which is practically nothing.
The data breach was achieved by manipulating an existing bug in the Duolingo API, which allowed the bad actor to gain access to personal user details such as email addresses, contact details, and addresses. This was done by sending a valid email to the API. The hacker was able to verify active Duolingo users by feeding millions of email addresses to the vulnerable API. The verified email addresses were then used to create a dataset containing both public and non-public information. It is also possible to retrieve sensitive user data by feeding a username to the API.
Interestingly, this is not the first time that this data has appeared online. Falcon Feeds had previously reported on this issue back in January when the scraped database was posted on the older version of the Breached hacking forum for $1,500. At that time, Duolingo acknowledged the issue but failed to address the fact that private information like email addresses was also part of the data that had been breached.
One of the most alarming aspects of this breach is the fact that the infected API is still openly available on the web. Despite being made aware of the issue back in January, Duolingo has yet to resolve this vulnerability. While companies often neglect scraped data as it typically consists of already public information and poses no credible threat, in the case of Duolingo, the scraped data contained sensitive user information that was not publicly available.
As of now, users whose data has been leaked can only wait for Duolingo to address the issue on a priority basis. If your data is among those that have been breached, it is advisable to change your credentials and consider deleting your Duolingo account for added security. With the rise in cybersecurity crimes, it is imperative for organizations to implement strict data protection measures to ensure the security and privacy of user data. However, even with these measures in place, bad actors continue to find ways to breach security systems and access sensitive information.