The most read Vietnamese newspaper

| Contact us | Follow us on

News Education Environment Traffic Crime

Duolingo user data exposed on dark website

By Luu Quy August 24, 2023 | 12:56 am PT

A post created Monday on a hacker forum shows an offer to give away information of 2.6 million account entries on Duolingo. Photo by VnExpress/Luu Quy

The data of 2.6 million accounts on language learning app Duolingo have been made available on a cybercrime marketplace, including those of Vietnamese users.

A post created Monday on a hacker forum showed one of its admins offering to give away information of 2.6 million account entries on Duolingo, one of the most popular language learning platforms, with up to 300 million users.

The anonymous hacker claimed to have information on users' emails, phone numbers, courses and other information.

According to the post, the 26 million account entries were "scrapped from an exposed Application Programming Interface (API)" and had already been offered for sale once on the dark website Breachforums in January for US$1,500.

The forum was then taken down and the dataset also disappeared.

However, the hacker has been able to gain access to that data and uploaded it again to the forum to give away.

Those who want to get access to the data only have to register an account on the forum and pay eight "credits," which would cost them $2.13.

The hacker even provided sample data from 1,000 accounts and among the samples, there are at least nine accounts belonging to Vietnamese users.

In January when the data was first leaked, Duolingo confirmed to news site The Record that the data was "scraped from public profile information."

"No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there's any further action needed to protect our learners," a spokesperson said in the article.

Insiders have said that the leak may come from a vulnerability in Duolingo's API which allows anyone to retrieve the public information of any of its profiles by entering the username.

Additionally, when entering an email into the API, it will return information about whether the email is associated with a valid account.

When hackers have a number of emails, all they have to do is to input them into Duolingo's API to scan which accounts they belong to, thereby enriching the data about users. 

This API vulnerability has been a concern since January, but is still used by Duolingo.

Share on Facebook Share on Twitter

Hong Kong actress Carina Lau sells Shanghai villa for $9.4M

Vietnam exit U23 Asian Cup following defeat to Iraq in quarterfinals

Indonesia keeper apologizes for provocative dance in front of South Korea player

I’m disappointed with my parents-in-law for not lending me money to purchase land

Dollar gains on black market

Malaysia detects parasitic worms in 16 tons of canned fish imported from China

Crowds depart Hanoi, HCMC for long weekend holiday

Uzbekistan knock out titleholder Saudi Arabia in U23 Asian Cup football

Intermittent fasting key to Chinese actress Liu Yifei’s 6 kg weight loss

Vietnamese teen turns seashell souvenirs into Yale scholarship success story

Duolingo user data exposed on dark website

Crime

Traffic

Environment

Education

Money

Exchange rate

Economy

Companies

Markets

Property

DataSpeaks

Guide

Food & Recipes

Places

Wellness

Love

Vogue

Celebrities

Arts

Trend

Other sports

Golf

Tennis

Marathon

Boxing

Football

Readers' Views