Duolingo data breach impacted close to 3 million email addresses

Language learning platform Duolingo suffered a significant data breach earlier this year that compromised almost 3 million email addresses.

In January this year, a threat actor uploaded a DuoLingo scraped database for sale on the dark web, shared a sample of data from 1,000 accounts and claimed to have obtained the data by scraping an exposed application programming interface (API).

The threat actor also claimed that the database in question contains 2.6 million account entries and offered to sell the database for $1,500.

A Duolingo spokesperson, however, denied all reports of a data breach, stating that the company was aware of the hacker’s post which contained sensitive personal details such as email addresses, phone numbers, courses taken, and other details like how the Duolingo users use the platform. The spokesperson added that the company is looking into whether any additional steps are required to protect its students.

Surfshark revealed last week that almost a third of the scraped email addresses belonged to users from the United States. According to the report, 967,000 U.S. email addresses were compromised in the security incident, followed by South Sudan, France and the U.K.

“In total, 16.3M data points of Duolingo users were exposed. On average, each email account was leaked with five data points, such as language, profile picture, username, name, country or bio. Some user accounts got all of their details leaked,” the report reads.

According to VX-Underground, the scraped data of 2.68 million email addresses was posted on the new version of the Breached hacking forum for eight site credits, worth only $2.13.

 

“Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!,” reads a post on the hacking forum.

“The biggest concern is the exposure of email addresses — it could be used for phishing attacks. Phishing continues to be the most common cybercrime for the third year in a row, with a total of 300,497 phishing victims in 2022.

“People affected might receive personalised phishing emails, such as offering affordable courses related to the language they have been studying on Duolingo. This could be done using leaked names and origin countries, resulting in highly customised emails, possibly even in their own native languages,” Surfshark added.