Data Breach Alert: 2.6 Million Duolingo Users’ Information Leaked on Hacking Forum

The article from BleepingComputer reports a significant data breach involving the scraped data of 2.6 million Duolingo users, which was leaked on a hacking forum. This breach poses a risk of targeted phishing attacks using the exposed information.

Key Points of the Duolingo Data Breach

1. Extent of the Leak: The leaked data includes a mix of public login and real names, along with non-public information such as email addresses and internal details related to the Duolingo service.
2. Initial Sale of Data: In January 2023, the data was sold on the now-shutdown Breach hacking forum for $1,500.
3. Concerns Over Email Addresses: Including email addresses in the leaked data is particularly concerning as it allows threat actors to use this public data for targeted attacks.
4. Duolingo’s Response: Duolingo confirmed that the data was scraped from public profile information and stated they were investigating the need for further precautions. However, they did not address the issue of email addresses being part of the leaked data.
5. Release of Data on Hacking Forum: The dataset was released on a new version of the Breached hacking forum for a nominal fee, making it accessible to threat actors.
6. API Exploitation: The data was scraped using an exposed application programming interface (API) that allowed retrieval of the user’s public profile information. The API could also confirm if an email address is associated with a valid Duolingo account.
7. Duolingo’s Inaction on API: Despite the abuse of the API being reported in January, it remains publicly available, allowing continued exploitation.
8. Risks of Scraped Data: The combination of public and private data in such leaks can increase the risk to users and potentially violate data protection laws, as seen in past incidents with Facebook and Twitter.

The Duolingo data breach highlights the risks associated with scraped data, mainly when it includes a mix of public and private user information. The continued availability of the exploited API raises concerns about the potential for further misuse of user data.

For more detailed information and updates on the Duolingo data breach, read the full article on BleepingComputer: Scraped data of 2.6 million Duolingo users released on hacking forum.