Over 2.6 Million DuoLingo Users’ Info Exposed in a Hacker’s Forum

The popular language learning platform has come under scrutiny as a post on a hacker’s forum offers access to information from 2.6 million customer accounts for a mere $1,500. 

Duolingo is an American educational technology company that produces learning apps and provides language certification.

The hacking forum post, created on a Tuesday morning, caught DuoLingo’s attention as it offered sensitive customer account details, including emails, phone numbers, courses taken, and other usage-related information for a price.

A spokesperson for the company has stated to Record that these records were amassed through data scraping public profile information, emphasizing that no data breach or hack has occurred. 

“No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.”

DuoLingo’s team is actively investigating the matter to assess the need for further protective actions to ensure their users’ safety.

The Origins of Data Scraping

Data scraping, or web scraping involves automated data extraction from websites and online platforms. 

While scraping of public information is common, it becomes problematic when sensitive and private data is compromised. 

In this case, the hacker claimed to have sourced the information by exploiting an exposed Application Programming Interface (API).

A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied).

They used an email list to assemble over 2.6m unique entries.

This will be used for doxxing.

— vx-underground (@vxunderground) August 21, 2023

The hacker also showcased their illicit achievement by sharing a sample dataset from 1,000 accounts.

The Widespread Nature of Web Scraping

The DuoLingo incident highlights a pervasive problem faced by tech companies worldwide. 

Numerous tools and techniques are available to scrape APIs, allowing individuals to amass vast amounts of data from websites. 

Often, this data is publicly accessible, but there are instances where it becomes accessible through links to other sites, inadvertently putting sensitive information at risk.

Tech giants are also vulnerable to web scraping. Meta (previously Facebook) filed a lawsuit against a surveillance service for generating fake accounts on Instagram and Facebook to scrape user data.

Similarly, in 2021, Facebook sued an individual who scraped the data of over 178 million Facebook users, exploiting the contacts import feature in its Messenger app. 

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.