More than 2.6 million users of the language-learning program Duolingo’s stolen data have had their information posted to a dark web hacker community.
On August 22, a bad actor listed the data for sale on a dark web hacking forum. All 2.6 million records might be had for US$1,500 from the bad actor. The hacker claimed to have obtained data access through exposed application interface (API) and scraping. They also provided a sample of the data from 1,000 accounts, confirming the validity of the information.
TheRecord, a news outlet, received a confirmation from Duolingo that the data came from public profile information. Users’ names, usernames, email addresses, and other details pertinent to Duolingo’s services are among the data that was disclosed. However, it’s important to remember that Duolingo does not make email addresses available to the general public.
Regarding the cyber security incident, a Duolingo representative stated: “No data breach or hack has occurred. We take data security and privacy very seriously, and we’re still looking into this to see if any additional steps are required to protect our students.
Since March 2023, the exposed API has been known to the whole public. By entering their username, anyone can access the public details of any Duolingo profile. Despite Duolingo receiving notification that the API was available in January 2023, the cyber security news website BleepingComputer has reported that it is still available. This happened as a result of an evil actor’s unsuccessful attempt to buy in on the now-defunct hacker forum Breached.