Duolingo's massive data breach: 2.6 Million users' information leaked on hacking forum

A recent cybersecurity breach resulted in the leakage of data belonging to 2.6 million Duolingo users on a hacking forum. Duolingo, a language learning platform with 74 million monthly users worldwide, confirmed the data was extracted from public profiles. The compromised data includes public login names, real names, email addresses, and proprietary Duolingo information.

The leaked data was listed for sale on the now-shutdown Breached hacking forum in January 2023 for $1,500. The inclusion of email addresses in the leaked data raises the potential for targeted phishing attacks, a concern Duolingo has yet to address. The data was extracted using an exposed API, which has been publicly available since March 2023, despite an abuse report filed in January.

The API was exploited to match emails and compile a dataset with both public and confidential information. The extracted data also discloses users with elevated permissions, making them prime targets for attacks. Duolingo has not responded to inquiries regarding the continued public availability of the API. The combination of public and private data in the leaked dataset is considered risky and could potentially violate data protection laws. The dataset was recently spotted on a new version of the Breached forum, priced at $2.13.