Personal Information From 2.6 Million Duolingo Sold Online For $2

Tyler Cross
Tyler Cross Senior Writer
Tyler Cross Tyler Cross Senior Writer

Information from 2.6 million users that was stolen from Duolingo in a data scraping that occurred earlier this year is being sold on a hacker forum to other threat actors.

While the ransom started at $1,500 for access to the user information that included full names, email addresses, languages they were learning, phone numbers (in cases where it was provided), and in-app information such as experience points, the hackers are currently selling it for only 2$.

“Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy,” wrote the actor.

The data scraping happened in January — Duolingo reported that while information was scraped, no data breach occurred. Threat actors found a vulnerability within an API that allowed them to submit an email address and receive a .JSON file that contained all of the users information.

After finding the vulnerability, they used brute force tactics; stuffing millions of emails obtained from previous breaches or other methods, into the system to obtain as many .JSON files as possible.

Having this information allows other criminals to carry out social engineering scams, usually phishing scams meant to steal money from users or distribute malware onto victims’ devices.

“(The API is) openly available to anyone on the web, even after its abuse was reported to Duolingo in January,” researchers from Bleeping Computer stated. Making matters worse, other criminals have begun revealing their own API scrapes.

“A Threat Actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information on the user (name, email, languages studied),” says X user, vx-underground, who first posted about the data for sale. “This will be used for doxxing.”

If you’re a Duolingo user, it’s recommended that you change your password, avoid using duplicate information, or use a reliable antivirus with data breach monitoring to secure your information.

About the Author
Tyler Cross
Tyler Cross
Senior Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends."