Duolingo Suffers Massive Data Breach Scrapped Data Lands On Hacking Forum

Duolingo Users Data Leaked Online

As per an X post (previously tweet) made by @vx-underground, a threat actor extracted 2.6 million scraped Duolingo user data and posted it on a new version of the popular hacking forum Breached. The breach was confirmed by BleepingComputer in a recent blog post. And the worst part is, this data has been made available on the forum for 8 site credits, worth only $2.13, which is practically nothing.
This data was collected by manipulating an existing bug in the Duolingo API that allowed the bad actor to gain personal user details like their email ID, contact details, addresses, and much more, by sending a valid email to the API.
The hacker was able to verify active Duolingo users by feeding millions of email addresses to the vulnerable API. The verified email IDs were then used by the hacker to create a dataset containing both public and non-public information. Alternatively, it is also possible to feed a username to the API to retrieve JSON output, containing sensitive user data.
However, this is not the first time this data has appeared online. Back in January, Falcon Feeds brought light to this issue via an X post. The scraped database was posted on the older version of the Breached hacking forum for $1,500. The exposed data contained personal information of users like their email addresses, phone numbers, pictures, privacy settings, and much more. Duolingo acknowledged this issue to TheRecord back then and assured everyone that it was investigating the matter. However, the platform somehow missed the fact that private information like email addresses was also part of the scrapped data.
Now, the most concerning part about this issue is that the infected API is still openly available to everyone on the web even tho this issue caught Duolingo’s attention back in January. And sadly enough, this is not surprising. Companies often tend to neglect their scraped data since it mostly contains already public information and is not the easiest to compile to pose any credible threat.
However, in the case of Duolingo, this scraped data also contained sensitive user information, not available publically. As of now, we can only wait for Duolingo to resolve this issue on a priority basis. And in case your data is among those leaked, the most you can do is change your credentials and/ or delete your Duolingo account.