Duolingo user data exposed on dark website

By Luu Quy   August 24, 2023 | 12:56 am PT
Duolingo user data exposed on dark website
A post created Monday on a hacker forum shows an offer to give away information of 2.6 million account entries on Duolingo. Photo by VnExpress/Luu Quy
The data of 2.6 million accounts on language learning app Duolingo have been made available on a cybercrime marketplace, including those of Vietnamese users.

A post created Monday on a hacker forum showed one of its admins offering to give away information of 2.6 million account entries on Duolingo, one of the most popular language learning platforms, with up to 300 million users.

The anonymous hacker claimed to have information on users' emails, phone numbers, courses and other information.

According to the post, the 26 million account entries were "scrapped from an exposed Application Programming Interface (API)" and had already been offered for sale once on the dark website Breachforums in January for US$1,500.

The forum was then taken down and the dataset also disappeared.

However, the hacker has been able to gain access to that data and uploaded it again to the forum to give away.

Those who want to get access to the data only have to register an account on the forum and pay eight "credits," which would cost them $2.13.

The hacker even provided sample data from 1,000 accounts and among the samples, there are at least nine accounts belonging to Vietnamese users.

In January when the data was first leaked, Duolingo confirmed to news site The Record that the data was "scraped from public profile information."

"No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there's any further action needed to protect our learners," a spokesperson said in the article.

Insiders have said that the leak may come from a vulnerability in Duolingo's API which allows anyone to retrieve the public information of any of its profiles by entering the username.

Additionally, when entering an email into the API, it will return information about whether the email is associated with a valid account.

When hackers have a number of emails, all they have to do is to input them into Duolingo's API to scan which accounts they belong to, thereby enriching the data about users. 

This API vulnerability has been a concern since January, but is still used by Duolingo.

go to top