With the increasing prevalence of cybersecurity breaches, organizations are under growing pressure to fortify their data protection measures and ensure the security and privacy of user information. Unfortunately, even with careful safeguards, malicious actors often manage to find vulnerabilities and compromise sensitive data. Just recently, a third-party companion app for Discord.io experienced a breach that led to a temporary shutdown. Now, Duolingo, a widely used language learning app, has also fallen victim to a data breach. Read on to discover the extent of the breach, the compromised data, and the steps being taken by the company to address the issue.
Leaked Data of Duolingo Users
A tweet by @vx-underground and a subsequent blog post by BleepingComputer have confirmed that a threat actor acquired and shared 2.6 million pieces of scraped user data from Duolingo on a new version of the Breached hacking forum. Shockingly, this data is being offered on the forum for a mere 8 site credits, which translates to just $2.13, an extremely low price.
The hacker leveraged an existing bug in the Duolingo API to gain access to personal user details such as email addresses, contact information, and even addresses. This was achieved by sending a valid email to the vulnerable API.
The hacker verified active Duolingo users by inputting millions of email addresses into the compromised API. Once verified, the hacker compiled a dataset containing both public and non-public information using these email IDs. Alternatively, a username could be submitted to the API to extract JSON output containing sensitive user data.
Interestingly, this incident is not the first time this data has been exposed. Back in January, Falcon Feeds highlighted this issue through a tweet. At that time, the scraped database was available on the older version of the Breached hacking forum for $1,500. This database included personal details such as email addresses, phone numbers, pictures, privacy settings, and more.
Duolingo acknowledged this issue to TheRecord when it was raised in January and assured that an investigation was underway. However, the platform failed to notice that private information, including email addresses, was also part of the leaked data.
The most concerning aspect is that the compromised API remains accessible on the web, despite Duolingo becoming aware of the issue earlier this year. This incident underscores the tendency of companies to disregard scraped data, assuming it primarily contains publicly available information that poses little threat.
In the case of Duolingo, the scraped data contained sensitive user information that was not publicly accessible. The onus is now on Duolingo to promptly address this matter. If your data has been compromised, the best course of action is to change your credentials and possibly delete your Duolingo account to mitigate potential risks.
0 Comments