Months after the initial leak, a threat actor reportedly dumped the Duolingo database of over 2.6 million users this week.
This was the same database that the threat actor tried selling on the now-defunct Breached marketplace for $1,500 and since the dump contains both public and private information, researchers warn of potential phishing attacks against the affected Duolingo users.
Selling and Dumping Sensitive Data
With over 40 languages and 74 million monthly active users, Duolingo is undoubtedly one of the best language-learning apps. Even with this reach, the company has failed to be responsible towards it’s users, as it indirectly exposed their sensitive details to the public, this week.
As noted by VX Underground, a threat actor on the revamped Breached marketplace has dumped the Duolingo database of 2.3 million users for just 8 credits(translates to $2.13.) The dump was the same from a January post, where a threat actor tried selling the Duolingo database for $1,500.
A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied).
They used an email list to assemble over 2.6m unique entries.
This will be used for doxxing.
— vx-underground (@vxunderground) August 21, 2023
It contained users’ login names, actual names, email addresses and other related information stored with Duolingo. Researchers noted the data was collected through a flaw in Duolingo API, which allowed the threat actor to scrape a massive list of Duolingo users.
More specifically, the API would allow anyone to submit a username and retrieve a JSON output containing the user’s public profile information. The same has also allowed threat actors to feed in an email address to confirm if it is associated with a valid Duolingo account.
And all such fed-in data that resulted in true values was curated by the threat actor, which amounted to 2.3 million users! Though Duolingo earlier acknowledged the breach, it seems to have done nothing to stop it from spreading.
Well, as it’s far from over, researchers warn of potential phishing campaigns against Duolingo users for more sensitive data. Another threat actor on the forum has also guided fellow scammers towards more valuable targets, with more information in the Duolingo leak.
Other Trending News:- News
