Duolingo is in hot water after it's been revealed that hackers scraped data of 2.6 million users from the language-learning app, according to BleepingComputer. Duolingo confirmed to TheRecord that it's investigating a post on Breached, a hacking forum, that offered $1,500 in exchange for its customers' details.
Interestingly, however, a Duolingo spokesperson denies that a data breach or hack occurred. "These records were obtained by data scraping public profile information," a Duolingo spokesperson said.
However, BleepingComputer isn't convinced; users' email addresses were exposed in the breach, which are not available to the public.
How it all went down
In January 2023, a malicious actor was selling scraped data of 2.6 million Duolingo users on a now-defunct version of Breached. As mentioned, the price tag for the exposed information was $1,500.
According to BleepingComputer, this data includes users' real names, public login, email addresses, and even their language-learning progress. On Monday, X user VX-Underground spotted that the Duolingo data leak was released on a new version of the Breached forum.
A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied).They used an email list to assemble over 2.6m unique entries.This will be used for doxxing.August 21, 2023
The threat actor claims that he snagged Duolingo users' information by scraping an exposed API. Pundits suspect that the threat actor fed this API email addresses leaked in previous breaches. Next, the API likely confirmed whether the email addresses are connected with an active Duolingo account. Consequently, the threat actor had the opportunity to create a Duolingo customer data collection that features a mélange of both public and non-public information.
How to check if you've been compromised
Interestingly, Have I Been Pwned, a site that lets you check whether you've been compromised in data leaks, tweeted that 100% of the details scraped from the Duolingo breach were already in its database.
New scraped data: Duolingo had 2.6M records scraped from a vulnerable API earlier this year and posted to a hacking forum today. Data included name, email, username and learning progress. 100% were already in @haveibeenpwned. Read more: https://t.co/fR3d9rPodyAugust 23, 2023
Have I Been Pwned added the Duolingo data breach to its system, so click here to see whether your information fell into the wrong hands.
