The latest Duolingo data breach exposed 2.6 million users, and all of their information is now up on the internet, waiting to be sold.
In a concerning turn of events, the widely-used language learning app, Duolingo, has become the latest data breach target, putting the personal information of 2.6 million users at risk. The breached data, which includes sensitive details like email addresses, usernames, names, and phone numbers, has found its way onto the underground cybercrime marketplace, BreachForums.
The incident has raised questions about data security and privacy practices, prompting the company to take action. Let’s delve into the details of this breach and its potential implications.
2.6 million were affected by the Duolingo data breach
Duolingo users were met with bad news when it was discovered that a significant amount of user data had been exposed online. Approximately 2.6 million individuals had their personal information scraped and put up for sale on BreachForums, an underground marketplace known for hosting such illegal trades.
The exposed information contains a range of data, from basic identifiers like usernames and names to more detailed insights such as social network profiles, language studies, experience levels, and even progress and achievements within the app.
The full dataset containing the details of over 2.6 million users has been up for grabs since January, with an initial price tag of $1,500. This data trove, which represents a potential goldmine for cybercriminals, is now available for 8 credits, equating to approximately $2.13 in the BreachForums’ in-house currency.
Inside the alarming PSNI data breach
This stark revelation has set off alarm bells within the cybersecurity community, leaving experts and users alike concerned about the extent of the breach’s fallout. “Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!” the hacker wrote on the forum.
Researchers broke down the Duolingo data breach
A group of researchers from Vx-underground found an alarming revelation surrounding the Duolingo data breach. It appears that a Threat Actor managed to exploit a bug in Duolingo’s API. By submitting a valid email to the API, the attacker could retrieve the user’s generic account details. This security lapse leaves users susceptible to doxxing, a cyber-attack that involves revealing private information and could lead to targeted phishing endeavors.
A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied).
They used an email list to assemble over 2.6m unique entries.
This will be used for doxxing.
— vx-underground (@vxunderground) August 21, 2023
Cybernews researchers delved further into the breach and found that the potential risks extend beyond the initial size. They uncovered that user data on Duolingo remains vulnerable to scraping, hinting at the possibility of accessing additional information, such as location data and public avatars. The vulnerability primarily originates from an exposed application programming interface (API), which hackers can manipulate to gather an individual’s public profile data.
Duolingo is working on it
Duolingo swiftly reacted to the situation, acknowledging the breach while emphasizing that no actual hacking or data breach had transpired within its systems. According to the company, the compromised data was gleaned from publicly available profile information through the platform’s Open API. A
spokesperson for Duolingo reassured users that their data privacy and security are of paramount importance. The company is actively investigating the matter and assessing whether additional measures are necessary to safeguard its users’ information.
760k users are in danger after the Discord.io data breach
As the investigation unfolds, the security lapse serves as a reminder of the critical importance of data protection and cybersecurity. The breach underscores the need for companies to monitor and fortify their systems against evolving threats continuously. While Duolingo takes steps to rectify the situation, users are encouraged to remain vigilant, employing strong security practices and watching their personal information.
Featured image credit: Duolingo
