A significant data breach has sent shockwaves through the language-learning platform Duolingo, compromising the information of approximately 2.6 million users. This incident, which recently came to light, has raised alarms about potential phishing risks that could be exploited by cybercriminals leveraging the leaked user data.
Duolingo, which boasts a massive 74 million active users worldwide, is now facing scrutiny as details of user accounts have surfaced on a notorious hacking forum. In January 2023, a dataset was posted for sale at $1,500 on the Breached hacking site, revealing a trove of data—including public usernames, real names, email addresses, and various internal data connected to Duolingo's services.
The implications of this data exposure are alarming, especially with the inclusion of personal email addresses. Although the real names and usernames are part of publicly visible profiles, the leaking of email addresses amplifies the risk of targeted attacks.
In a recent update, Duolingo confirmed that the compromised data was collected from public profiles. However, the company did not adequately address the gravity of including private email addresses, which significantly heightens the risk for users.
Notably, the dataset re-emerged on a revamped Breached forum, now available for a mere price of $2.13. A post on the platform claimed, "Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!" This indicates a troubling trend where sensitive information is continuously traded in illicit circles.
The breach itself was reportedly facilitated through the exploitation of an exposed application programming interface (API). This API, made public since March 2023, allows users to enter a username and retrieve JSON data related to that user’s profile. Even more troubling, it can confirm whether an email address corresponds to an active Duolingo account, making it a valuable target for cybercriminals.
Career Journey
Despite being informed of the API's misuse as early as January, Duolingo has yet to take action to secure the vulnerability, keeping it accessible to potential attackers. This lack of response provided an opportunity for malicious actors to check numerous email addresses against Duolingo accounts, ultimately constructing a considerable dataset of both public and private information.
Further complicating the matter, another hacker shared additional scraped data acquired via the same API. This included key fields indicating users with elevated permissions, positioning them as significant targets for phishing attempts.
The broader issue of data scraping, often dismissed as a non-threat by companies, continues to escalate concerns. Cybersecurity experts argue that although companies may contend that the data is commonly available, the combination of public and private information significantly increases vulnerability.
Richard Bird, Chief Security Officer at Traceable AI, expressed his frustration regarding the Duolingo breach: "As both a customer of Duolingo and a security professional I find this breach to be irritating and inexcusable. As a customer I don't need one more company exercising poor stewardship over the data that I've entrusted them with. I want to enjoy my experience learning Spanish without having to worry about who has my information."
Bird further emphasized that the delay in securing the API represents a serious failure by Duolingo: "Duolingo's delay or inattention to fixing the source of the API related data scraping is really unacceptable. Failing to act with urgency on an API breach like this is an open invitation to the bad guys to just keep picking and poking at your systems and processes trying to find a bigger payday."
He added, "If companies like Duolingo are informed of a problem and then drag their feet in addressing it, it sends the 'weak prey' signal to the bad actors of the world." This sentiment underscores the urgent need for companies to prioritize the protection of user data and address vulnerabilities effectively.
As the fallout from this breach continues to unfold, Duolingo faces substantial pressure to bolster its security measures. The increasing frequency and ferocity of data breaches highlight a crucial point: companies must treat user data with the utmost care, ensuring robust protections against potential exploits. The consequences of failing to do so can be devastating, not only for affected users but also for the overall trust in the platform itself.
