Hackers Expose Data Belonging to 2.6 Million Duolingo Users
2 min. read
Updated on
Share this article
Improve this guide
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Hackers have exposed personal data of over 2 million Duolingo users, releasing it on hacking forums.
While they’ve only shown a sample, the full list can be bought for a small fee.
2.6 million Duolingo users exposed
The full list containing data of 2.6 million Duolingo users has been up for sale since January. Hackers listed it with a starting price of $1,500, open to negotiations.
Now, all the info is available on BreachForums for just 8 credits, which translates to $2.13.
The hackers also shared a sample entry showing that the list contains names, home and email addresses, phone numbers (when provided), social media information, and more generic info, such as language studies.
Vx-underground researchers have reported that a threat actor was able to steal the information through the Duolingo API.
When they send a valid email to it, the API returns generic information on the user.
The researchers have also already warned that the stolen data may eventually be used to identify users and target them in phishing attacks.
Latest tests have shown that threat actors can still exploit the Duolingo API security hole in the same way. All they have to do is submit a username or email to scrape more information.
When the incident was first reported, Duolingo said the info hackers managed to steal was publicly available.
However, users and cybersecurity experts responded by saying email addresses were not public information.
Duolingo has over 500 million users across the world and over 56 million monthly active users.
With the problem still being present, threat actors could potentially insert millions of usernames and email addresses into the API, matching them with Duolingo accounts. Then, they could scrape more data to share on hacking forums.
Although the problem has been present since January, the API is still active.
Experts have argued that allowing private information to be active through a known vulnerability is a violation of data protection laws.
