Data from 2.6 million Duolingo users is now accessible on the cybercrime marketplace, BreachForums. The information, initially on sale since January, contains users’ email addresses, usernames, phone numbers (if provided), and other details, including their language study progress.
Use the most powerful academic tools to write better with AI, check for plagiarism and detect AI content!
- Data from 2.6 million Duolingo users has been exposed on BreachForums, containing details like email addresses and language study progress.
- A vulnerability in Duolingo’s Open API allows potential data scraping, including user locations and public avatars.
- Duolingo asserts that the exposed data was obtained by scraping public profiles, with no indication of their systems being compromised.
Research from Vx-underground indicates a Threat Actor identified a bug in Duolingo’s Open API, which upon receiving a valid email, returns generic account details. Experts warn that this exposed data could be used for doxxing—a cyber tactic to reveal and publicize a user’s private information—raising concerns over potential targeted phishing attacks.
Cybernews further found that Duolingo’s data is still ripe for scraping, indicating a potential risk of hackers accessing more data like user locations and public avatars. The vulnerability arises from Duolingo’s openly accessible application programming interface (API). Several Twitter users, including Ivano Somaini, have mentioned the public availability of this API as early as March.
Responding to these revelations, a Duolingo spokesperson stated that the records were obtained by scraping public profiles, and there’s no evidence of a system compromise. The spokesperson clarified, “The API involved was designed to help users find friends on Duolingo. Users can opt for private profiles to avoid public searches.”
Notably, Duolingo, boasting over 500 million registered users, emphasized that the email addresses linked to this incident were sourced from other sites and not directly from their platform.
For context, Duolingo, a leading language learning app established in 2011 by Luis von Ahn and Severin Hacker, now has a massive user base of over 60 million active users monthly.
Follow us on Reddit for more insights and updates.