HQ/EMEAFind out how we can help your business
A recent incident has leaked the scraped data of more than 2.5 million DuoLingo users on a hacking forum. The event has enabled numerous threat actors to perform targeted phishing campaigns using the leaked information.
DuoLingo is one of the most widely used language learning websites globally, with more than 74 million monthly users. However, the entity received a massive setback earlier this year after an unidentified entity had sold the scraped data of about 2.6 million DuoLingo users on the now-defunct Breached hacking forum.
The leaked data includes public login and actual names of users. Additionally, non-public details, such as email addresses and internal information related to the DuoLingo service, have appeared on the leaked dataset.
DuoLingo confirmed the legitimacy of the scraped data.
Earlier this year, DuoLingo confirmed in one of the reports that their users own the scraped data for sale. They have also established in that report that they are investigating the incident to know if they need more precautionary methods.
However, the affected entity did not address that the email addresses were included in the data leak, which is not public information like their users’ real names.
Unfortunately, the scraped 2.6 million user database reemerged earlier this week on a new version of the Breached forum for eight site credits. The researchers noticed that the data is worth $2.13.
Threat analysts explained that the sellers scraped the data using an exposed API shared since last March. The API enables anyone to submit a username and recover JSON output that contains the user’s public profile information.
Unfortunately, it is also possible to provide an email address in the API and confirm its affiliation with an authentic DuoLingo account.
The API has enabled the scraper to feed millions of email addresses potentially exposed in previous data breaches into the API and confirm if they are present in the DuoLingo roster. The seller then used the email addresses to generate the public and non-public information dataset.
Cybersecurity experts warn DuoLingo users about these recent events. They urge everyone to be more vigilant about their received emails since they are currently susceptible to targeted phishing campaigns from malicious entities.
