Duolingo Suffers Massive Data Breach; Scrapped Data Lands on Hacking Forum

Duolingo Data Breach: Millions of User Records Exposed

Duolingo Users Data Leaked Online

With the rapid increase in cybersecurity crimes, it has become crucial for organizations to prioritize data protection measures. However, even the most cautious organizations can fall victim to data breaches. Recently, Duolingo, the popular language learning app, suffered a significant data breach. In this article, we will explore the details of the breach and what steps the company is taking to address the issue.

Details of the Data Breach

According to a post made by @vx-underground on the popular hacking forum Breached, a threat actor managed to extract and release 2.6 million user records scraped from Duolingo. This breach was confirmed by BleepingComputer in a recent blog post. Shockingly, the stolen data was made available on the forum for a mere $2.13, making it easily accessible to anyone.

The hacker collected this data by exploiting a bug in the Duolingo API. By sending a valid email to the API, the bad actor was able to obtain personal user information such as email IDs, contact details, and addresses. This manipulation allowed the hacker to create a dataset consisting of both public and non-public information.

Past Occurrences of the Data Leak

This is not the first time that Duolingo’s data has been exposed. In a previous incident highlighted by Falcon Feeds, a similar database was posted on the older version of the Breached hacking forum for a hefty sum of $1,500. The leaked data included personal details such as email addresses, phone numbers, pictures, and privacy settings.

While Duolingo acknowledged the issue earlier this year and claimed to be investigating the matter, they neglected to address the fact that private information, including email addresses, was part of the compromised data.

The Ongoing Vulnerability

One alarming aspect of this breach is that the vulnerable Duolingo API is still publicly accessible. Despite the issue being brought to their attention in January, the company has not taken sufficient action to secure the API. This negligence is not uncommon, as scraped data is often disregarded by companies since it mostly consists of already public information. However, in this case, the scraped data also contained sensitive user information that is not publicly available.

What to Do if Your Data is Affected

If you suspect that your data may have been compromised in the Duolingo data breach, it is essential to take immediate action. We recommend the following steps:

  1. Change your login credentials: Update your Duolingo account password to a strong and unique one.
  2. Monitor your accounts: Keep a close eye on any suspicious activity on your email and other online accounts associated with Duolingo.
  3. Enable two-factor authentication: Add an extra layer of security to your Duolingo account by enabling two-factor authentication.
  4. Contact Duolingo: Inform Duolingo about the breach and seek guidance regarding any further measures you should take.
  5. Delete your account (if necessary): If you are deeply concerned about the breach or no longer wish to use Duolingo, consider deleting your account.

In conclusion, the Duolingo data breach highlights the importance of robust data protection measures for both organizations and users. It is crucial for companies to address vulnerabilities promptly, especially when sensitive user information is at stake. As users, we must remain vigilant and take proactive steps to safeguard our personal data.

Note: This article is meant to inform and provide guidance. It is not a substitute for professional cybersecurity advice.