Scraped data of 2.6 million Duolingo users released on hacking forum

Cyber Security Threat Summary:
“The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide. In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service. While the real name and login name are publicly available as part of a user's Duolingo profile, the email addresses are more concerning as they allow this public data to be used in attacks. When the data was for sale, DuoLingo confirmed to TheRecord that it was scraped from public profile information and that they were investigating whether further precautions should be taken. However, Duolingo did not address the fact that email addresses were also listed in the data, which is not public information” (Bleeping Computer, 2023).

Security Officer Comments:
The data was allegedly scrapped using Duolingo’s API which has been exposed and shared openly to the public since at least March 2023. By leveraging this API, any individual can submit a username and retrieve a JSON output containing the user’s public profile information. At the same time, it is also possible to feed an email address into the API to determine if that email is associated with a valid DuoLingo account. In this case, the threat actors most likely fed millions of email addresses into the API, which were likely accessed in previous data breaches, successfully allowing them to match these emails to user accounts.

Suggested Correction(s):
With email addresses being matched to DuoLingo accounts, threat actors can create datasets containing other publicly known information such as phone numbers to launch targeting social engineering and phishing attacks. As such, users should be on the lookout for malicious emails from unknown individuals requesting confidential information.