Data of 2.6 million Duolingo users was recently discovered publicly on a hacker forum.
Duolingo is the world’s largest language learning website and app with over 74 million monthly users. According to Bleeping Computer, the exposed personal data users of Duolingo will allow hackers to carry out targeted phishing attacks.
In January 2023, an account on a hacker forum sold data collected from 2.6 million Duolingo users for $1,500, which is now also down.
This data includes login credentials, real names as well as non-public information, including email addresses and inside information related to Duolingo’s services. While Duolingo user profiles reveal their real names and usernames, email addresses are hidden information
Duolingo confirmed to TheRecord that the data collected and for sale was obtained from public records and that the service is also investigating whether precautions should be taken. However, Duolingo doesn’t mention the fact that email addresses are also listed in the data. Data from 2.6 million users was released yesterday on a new version of the hacker forum for just $2.13. This data was collected using a publicly shared application programming interface (API) since March 2023.
This Duolingo API allows any submitter to retrieve a user’s public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a Duolingo account.BleepingComputer says the API remained publicly available even after its abuse was reported to Duolingo in January. The hacker could predictably put millions of email addresses – possibly exposed in previous data breaches – into the API to see if they belonged to a Duolingo account. These email addresses are then used to create datasets containing public and non-public information
Companies tend to discard the collected data, as most of it is already public. However, when public data is mixed with private data like phone numbers and email addresses, it makes exposed information more risky and potentially violates data protection laws. In 2021, Facebook was exposed to a large amount of data after the “Add Friend” API was abused to link phone numbers to the Facebook accounts of 533 million users. The Irish Data Protection Commission (DPC) fined Facebook 265 million euros ($275.5 million) for causing this data leak. Recently a bug in Twitter’s API was used to obtain public data and email addresses of millions of users, leading to a DPC investigation. Duolingo has not yet explained why it is still making this API public to everyone after reporting abuse
