Email addresses, names and phone numbers of 2.6 million Duolingo users available for $2 on hacking forum

Threat actors have leaked the scraped data of 2.6 million Duolingo users on a popular hacking forum. The user data gathered from the language-learning platform was initially put up for sale in January 2023 for $1,500.

Today, however, the scraped data is accessible for a little over $2 to anyone who may want to use it for doxing or targeted phishing attacks. A sample of 1,000 records was also offered for free.

How did malicious actors scrape the information on Duolingo users?

According to the initial company statement in January 2023, 2.6 million user records were obtained by scraping information found in public user profiles, and no data breach or hack occurred.

This was done by exploiting an exposed application programming interface (API) that allowed anyone to feed in email addresses or usernames and retrieve a JSON file containing their profile information.

The exposed API allowed malicious individuals to submit millions of email addresses (even from older data breaches or leaks) and retrieve account information matching the submitted usernames.

According to BleepingComputer investigators, the Duolingo data leak post was spotted by “X” user VX-Underground yesterday (the same day it was released to the public) on a new version of the infamous Breached hacking forum.

"Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy," the post reads.

                                       Source: BleepingComputer

Compromised data includes users’ email addresses, languages studied, phone numbers (where available), names, courses and other Duolingo information, such as learning progress and XP (experience points).

Researchers at BleepingComputer have also confirmed that the API used to scrape the platforms’ user data is still “openly available to anyone on the web, even after its abuse was reported to Duolingo in January.”

Moreover, other threat actors have begun sharing their own API scrape and advice to other criminals who may want to use this data in social engineering schemes (phishing).

“Threat actors wishing to use the data in phishing attacks should pay attention to specific fields that indicate a Duolingo user has more permission than a regular user and are thus more valuable targets,” BleepingComputer explained.

Bitdefender Digital Identity Protection can help you take on the wave of data leaks that put you in harm's way.

Our dedicated identity protection tool continuously monitors your digital presence (using only your phone number and email address), helping you prevent attacks against your digital identity, manage personal data, protect online accounts, and reduce your footprint.