Over 2.6 Million DuoLingo Customers Lose Data to Breach
Table of Contents
- By Steven
- Aug 25, 2023
DuoLingo is a massive language learning service that provides lessons to more than 74 million users around the world. The service offers short language lessons via a set of apps and is designed to help users learn new languages. Duolingo doesn't store a huge amount of information about its users, but it does have enough data on its users for it to be problematic if the information is lost. That's why it's worrying to learn that DuoLingo suffered a data breach that exposed more than 2.6 million users.
How Did the Attack Occur?
In January of 2023, a hacker was found selling scraped data for over 2.6 million DuoLingo users in a hacker forum. The data was being offered for $1,500, and the attacker provided the information to anyone willing to pay for it. While it doesn't seem like a massive amount of personal data was taken from any of the users, enough information was stolen for it to cause problems for users potentially. The attack was possible via an exposed app API or application programming interface. The API enabled users to get access to more data than they should be able to, and the data was taken and misused, and it still may be misused, further harming some of the individuals exposed.
What Information Was Viewed or Stolen?
Among the vast amounts of stolen data from DuoLingo were user names, real names, and email addresses. The names were publicly accessible, but the emails were not. That means attackers were able to somehow get into the files of DuoLingo and access more user data. Emails being taken is worrisome because the data could be used for phishing attacks. This is why the information is valuable to hackers, and it's likely this vast data pool will be sold to someone.
How Did DuoLingo Admit to the Breach?
It's unclear if DuoLingo has made any sort of public announcement about the scraped data taken from the organization. The company did admit that its information was exposed in a reply to TheRecord about the data breach. We don't suspect that letters will be sent to the individuals involved since minimal personal information was shared for each person.
What Will Become of the Stolen Information?
The stolen data was already given away on VX-Underground and is likely in the hands of multiple hackers at this time. Attackers are limited in what they can do with the stolen information, but they may be able to misuse it enough to cause harm to the people involved anyway.
What Should Affected Parties Do in the Aftermath of the Breach?
If you believe your email, name, and DuoLingo username were shared in the leaked data, you should be careful to avoid giving away any information via your email. If you receive emails requesting you provide data, avoid doing so even if they look official. Duolingo will not ask for usernames, passwords, or other details via email, and providing that information could result in financial losses for you.