Duolingo has more than 74 million monthly users around the world. It is a real outrage that makes them leaders in the language sector. Now imagine that you suffer a hacker attack and that the data of many of them are compromised. Unfortunately, that is exactly what has happened. And now that information circulates through the network.
Just over 2 bucks. That is the price that has been put in a hacker forum on the database made up of the private information of more than 2.6 million Duolingo users. The offer has appeared in the new version of a well-known forum dedicated to hacking where many specialists go in search of all kinds of tools and information.
A problem that comes from afar
It is important for you to know that this Duolingo user data, which may include yours if you have ever used the service, was stolen months ago. The first time they were talked about was in January of this year 2023, at which time an offer appeared online for which the database was sold for $1,500.
After this first appearance, the leak cooled down, but in March of this year the API with which the data theft had been carried out was revealed. It was a publicly available tool that allowed access to Duolingo users’ public information and also provided a way to obtain email addresses. And that is where the main problem lies, since although much Duolingo data is publicly available, the same is not the case with email addresses.
Duolingo doesn’t talk about it
The attempts to communicate with Duolingo that have been carried out by various specialists with the intention of discovering their position on the matter, have not borne fruit. At the moment the entity does not respond and, above all, it is expected to provide some type of information on the reasons that lead them to still be available the aforementioned API that has generated all the problem.
There are some hackers that have mentioned that they have found ways to alter the use of the API with the intention of escalating the attacks. For example, they have a system that allows them to examine the database for Duolingo users who have more permissions and access within the platform. They understand that these are the users who will add the most value to their phishing attacks, so they are the ones most at risk.
The data of the users that have been affected by the security breach includes the access name on the web, the real name, information related to the service provided by Duolingo and the email address. It is a block of information that, as a whole, is sensitive, since targeted and personalized attacks can be carried out if that data falls into the wrong hands.
The only time Duolingo spoke about what happened was in January when the first news of what happened was published. At that time they said that the stolen data only came from public databases, ignoring that the email addresses had also been compromised. They affirmed that they would take measures so that it did not happen again, but it seems, seen what has been seen, that they have not carried out any type of measure.
After all, the API in question is still available and now the database has gone from a price of $1,500 to one of only $2.13. That could cause it to fall into the hands, in a few hours, of a large number of hackers with bad intentions. We will have to see how the situation develops in the coming days, but it cannot be said that the security team of the famous online language learning service has been too good.
