The scraped knowledge of two.6 million DuoLingo customers was leaked on a hacking discussion board, permitting menace actors to conduct focused phishing assaults utilizing the uncovered data.
Duolingo is without doubt one of the largest language studying websites on the earth, with over 74 million month-to-month customers worldwide.
In January 2023, somebody was promoting the scraped knowledge of two.6 million DuoLingo customers on the now-shutdown Breached hacking discussion board for $1,500.
This knowledge features a combination of public login and actual names, and private data, together with e-mail addresses and inner data associated to the DuoLingo service.
Whereas the true title and login title are publicly out there as a part of a consumer’s Duolingo profile, the e-mail addresses are extra regarding as they permit this public knowledge for use in assaults.
Supply: Falcon Feeds
When the information was on the market, DuoLingo confirmed to TheRecord that it was scraped from public profile data and that they have been investigating whether or not additional precautions needs to be taken.
Nonetheless, Duolingo didn’t tackle the truth that e-mail addresses have been additionally listed within the knowledge, which isn’t public data.
As first noticed by VX-Underground, the scraped 2.6 million consumer dataset was launched yesterday on a brand new model of the Breached hacking discussion board for 8 website credit, price solely $2.13.
“At present I’ve uploaded the Duolingo Scrape so that you can obtain, thanks for studying and revel in!,” reads a submit on the hacking discussion board.
Supply: BleepingComputer
This knowledge was scraped utilizing an uncovered software programming interface (API) that has been shared overtly since at the very least March 2023, with researchers tweeting and publicly documenting easy methods to use the API.
The API permits anybody to submit a username and retrieve JSON output containing the consumer’s public profile data. Nonetheless, it’s also doable to feed an e-mail tackle into the API and ensure whether it is related to a legitimate DuoLingo account.
BleepingComputer has confirmed that this API remains to be overtly out there to anybody on the internet, even after its abuse was reported to DuoLingo in January.
This API allowed the scraper to feed tens of millions of e-mail addresses, possible uncovered in earlier knowledge breaches, into the API and ensure in the event that they belonged to DuoLingo accounts. These e-mail addresses have been then used to create the dataset containing public and private data.
One other menace actor shared their very own API scrape, mentioning that menace actors wishing to make use of the information in phishing assaults ought to take note of particular fields that point out a DuoLingo consumer has extra permission than an everyday consumer and are thus extra precious targets.
BleepingComputer has contacted DuoLingo with questions on why the API remains to be publicly out there however didn’t obtain a reply on the time of this publication.
Scraped knowledge repeatedly dismissed
Firms are inclined to dismiss scraped knowledge as not a difficulty as many of the knowledge is already public, even when it’s not essentially simple to compile.
Nonetheless, when public knowledge is combined with personal knowledge, reminiscent of telephone numbers and e-mail addresses, it tends to make the uncovered data extra dangerous and doubtlessly violate knowledge safety legal guidelines.
For instance, in 2021, Fb suffered an enormous leak after an “Add Pal” API bug was abused to hyperlink telephone numbers to Fb accounts for 533 million customers. The Irish knowledge safety fee (DPC) later fined Fb €265 million ($275.5 million) for this leak of scraped knowledge.
Extra just lately, a Twitter API bug was used to scrape the general public knowledge and e-mail addresses of tens of millions of customers, resulting in an investigation by the DPC.
