The data of millions of Duolingo users, which was hacked and put up for sale on a hacker forum earlier this year, has now been released on another forum, raising concerns about privacy and data security. In January 2023, Duolingo confirmed that it was investigating a cyber attack on its platform. However, the recent release of the data leak containing the personal information of 2.6 million users, including names, emails, and other data, has caused a major privacy concern among Duolingo users.
Earlier this year, security researchers uncovered a data sale on a hacker forum where a seller with the username ‘House’ offered to sell 2.6 million Duolingo account entries. The hacker claimed to have scraped this data from an exposed API, which is a method of importing information from websites into files or spreadsheets. Data scraping can be done using software applications and is often used by companies for various purposes such as marketing and maintaining user records.
The seller provided samples of 1,000 Duolingo accounts as proof to potential buyers. The data on sale included email addresses, names, phone numbers, joined classroom IDs, streaks, motivations, acquisition survey reasons, pictures, language selected, connected Facebook IDs, beta status, and privacy settings. The starting price for this data was $1,500.
Duolingo responded to these claims by stating that the records were obtained through data scraping of public profile information and denied experiencing a data breach or hack. However, House from the hacker forum alleged that they exploited a vulnerability in the Duolingo API to access sensitive information. According to a report by Laptop Mag, the hacker may have used email addresses leaked in previous breaches to gain access to the Duolingo API and confirm whether they were connected to active Duolingo accounts. This allowed the hacker to create a collection of both public and non-public information.
The release of this data has raised concerns about the potential misuse of personal information. A cybersecurity service called Vx-underground tweeted about the data breach and mentioned that the dark web user who accessed the email addresses may use it for doxxing. Doxing or Doxxing refers to the act of publicly leaking someone’s personally identifiable information for malicious purposes.
The data has been on sale since January, but no action has been reported to address the Duolingo data leak or sale. Users are advised to take precautions to protect their personal information and monitor their online accounts for any suspicious activity. There are platforms available, such as Am I Breached, that allow users to check if their information is present on the dark web.
In conclusion, the release of the Duolingo user data on another hacker forum has intensified privacy concerns among users. While Duolingo denies experiencing a data breach, the alleged data scraping and vulnerabilities in their API have raised questions about the security of user information. It is crucial for users to remain vigilant and take necessary steps to protect their personal data in the wake of this incident.