The scraped data of 2.6 million Duolingo users has been leaked on a hacking forum, raising concerns about targeted phishing attacks utilising the compromised information and is now available on a hacking forum for $2.13.
Duolingo, renowned as one of the world’s largest language learning platforms with a staggering user base of over 74 million monthly users globally, now faces scrutiny for the security lapse,
The first exposure to the breached Duolingo data in January 2023 came to light when researchers discovered the data was available for $1,500 on the now-defunct Breached forum. The dataset contained public and non-public information encompassing real names, login names, and email addresses. While real and login names are visible on users’ public Duolingo profiles, including email addresses, this significantly exacerbates the threat, allowing malevolent actors to execute targeted phishing attacks.
Duolingo acknowledged the scraped data’s origins from public profile information revealing that an internal investigation was underway to determine the need for additional security measures. However, the company failed to address the fact that private email addresses were also part of the exposed data — information that is not typically public.
Disturbingly, a recent development revealed that the data, initially priced at $1,500, was made available for as little as $2.13 in a new iteration of the Breached hacking forum. A post on the forum read, “Today I have uploaded the Duolingo Scrape for you to download; thanks for reading and enjoy!”.
Reports indicate this data breach was facilitated through an exposed application programming interface (API), accessible since March 2023. Despite being alert to the API’s misuse in January, Duolingo has not addressed the situation. This API enabled the scraping of millions of email addresses, potentially sourced from earlier data breaches, to ascertain if they correspond to valid Duolingo accounts.
The repercussions of this breach highlight the contentious nature of scraped data. While companies often dismiss the significance of scraped data, the combination of public and private information underscores the potential violation of data protection laws.
Notably, Facebook’s 2021 data leak, where the phone numbers were linked to accounts for 533 million users, resulted in a hefty fine of about €265 million by the Irish data protection commission (DPC). Similarly, a recent Twitter API bug led to the scrapping of public data and email addresses, triggering a DPC investigation.
Data breach incidents are increasing per year. About 110 million accounts were compromised in the second quarter of 2023, amounting to 855 account breaches per minute. Data breaches are happening in almost all industries worldwide. In May 2023, PharAmerica, an American pharmacy service provider, reported a massive data breach involving the data of more than 5.8 million patients. Even automobile companies are not safe. In April, Hyundai suffered a data breach in France and Italy. Similar was the case with Ferrari back in March this year.
Companies should follow the best practices available to protect the precious data of their customers and should remain vigilant at all times.