Tyler Cross
Published on: August 24, 2023 
Information from 2.6 million users that was stolen from Duolingo in a data scraping that occurred earlier this year is being sold on a hacker forum to other threat actors.
While the ransom started at $1,500 for access to the user information that included full names, email addresses, languages they were learning, phone numbers (in cases where it was provided), and in-app information such as experience points, the hackers are currently selling it for only 2$.
“Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy,” wrote the actor.
The data scraping happened in January — Duolingo reported that while information was scraped, no data breach occurred. Threat actors found a vulnerability within an API that allowed them to submit an email address and receive a .JSON file that contained all of the users information.
After finding the vulnerability, they used brute force tactics; stuffing millions of emails obtained from previous breaches or other methods, into the system to obtain as many .JSON files as possible.
Having this information allows other criminals to carry out social engineering scams, usually phishing scams meant to steal money from users or distribute malware onto victims’ devices.
“(The API is) openly available to anyone on the web, even after its abuse was reported to Duolingo in January,” researchers from Bleeping Computer stated. Making matters worse, other criminals have begun revealing their own API scrapes.
“A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied),” says X user, vx-underground, who first posted about the data for sale. “This will be used for doxxing.”
If you’re a Duolingo user, it’s recommended that you change your password, avoid using duplicate information, or use a reliable antivirus with data breach monitoring to secure your information.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Automotive / EVs, Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- ChartPrime. Elevate your Trading Game with ChartPrime. Access Here.
- BlockOffsets. Modernizing Environmental Offset Ownership. Access Here.
- Source: https://www.safetydetectives.com/news/personal-information-from-2-6-million-duolingo-sold-online-for-2-dollars/
