(29/08/23) Blog 241 – Duolingo data scraped – 2.6m accounts harvested

A threat actor discovered a vulnerability in the API of language learning app Duolingo and used it to scrape the profile data of over 2.6 million registered users.

The code bug did not verify email address data properly, which allowed the threat actor to send the app a valid email address which returned user account data including email address, name, languages studied, and more.

By writing a small utility that automated the sending of valid email data, the threat actor quickly accrued the profile data of millions of users.

The data was then offered for sale on the now defunct breached.vc website

The data was on sale for 8 credits, which was approx. USD$2.50, which is a tiny amount for such a large collection of data.

The low cost means that many people would have been tempted to buy the data set – as such it sis expected that the data will be used in doxxing and phishing attacks.

Haveyoubeenpwned?

The Duolingo data set has now been added to the HaveIbeenpwned website, which states that 100% of the accounts were already included in their collection, having been obtained from previous breaches.