ALERT: Data from 2.6 million Duolingo users stolen by hackers; understand

Recently, a worrying cybersecurity incident occurred involving the leak of data of 2.6 million users of the Duolingo.

This exposure took place on a forum frequented by hackers, which now makes it possible for malicious actors to carry out targeted attacks from phishing.

Duolingo, renowned as one of the largest global language learning sites, has more than 74 million monthly users worldwide and has suffered from a hacker attack against its users.

The data was acquired through an application programming interface (API) that was exposed, and this exposure has been in evidence since at least March 2023.

Researchers have widely shared information on how to use this API, including through tweets and public documentation.

The API functionality makes it possible for any individual to enter a username as input and receive as output a JSON file containing public details of the respective user's profile.

Duolingo suffers from data leak

During the month of January of this year, a disturbing situation emerged involving the leak of information of 2.6 million Duolingo users.

This data was spotted for sale on the now-defunct Breached forum, with a stipulated price of $1,500, according to reports from Bleeping Computer.

This information has been found to contain a mix of authentic and public usernames, as well as of sensitive data, such as email addresses and internal details regarding the services offered by the Duolingo.

While real names and usernames are publicly available as part of user profiles on Duolingo, the biggest concern centers around email addresses.

During the period that the data was available for purchase, Duolingo communicated to TheRecord that this data had been obtained from publicly available information in user profiles.

At the same time, they were conducting an investigation to determine if additional security measures were needed.

However, the company did not explicitly address the fact that email addresses were also included in the leaked data. It is noteworthy that such addresses are not in the public domain, but remain under the domain of hackers.

At Trezeme Digital, we understand the importance of effective communication. We know every word matters, so we strive to deliver content that is relevant, engaging, and personalized to meet your needs.