Over 2.6 million DuoLingo users’ info exposed in a hacker’s forum

News By Daniel Michan Published on August 28, 2023

The language learning platform many people use is currently being scrutinized due to a hacker forum post. The post claims to offer access to information from 2.6 million customer accounts for $1,500.

Duolingo, a company that develops educational apps and provides language certification, has taken notice of this post. It caught their attention because it includes details from customer accounts, such as emails, phone numbers, courses taken, and other usage-related information. The post was created on a Tuesday morning.

A spokesperson for Duolingo has clarified that these records were obtained through data scraping of public profile information. They want to emphasize that there has been no data breach or hack.

"We want to assure our users that there has been no data breach or hack. We take data privacy and security seriously. Our team is actively investigating this matter to ensure the safety of our learners."

Duolingos team is currently looking into the situation to determine if any additional protective measures are necessary to safeguard their users' well-being.

Data scraping, also known as web scraping, involves extracting data from websites and online platforms. While scraping information is standard practice, it becomes problematic when sensitive and private data is compromised.

The hacker stated that they obtained the information by exploiting an exposed Application Programming Interface (API).

The hacker shared a sample dataset from 1,000 accounts to prove their accomplishment.

The incident involving DuoLingo showcases an issue that tech companies worldwide are grappling with.

Various tools and methods exist for scraping APIs, enabling individuals to gather volumes of data from websites.

While this data is often publicly accessible, there are scenarios where it becomes inadvertently exposed through links to sites, potentially compromising sensitive information.

Tech giants are susceptible to web scraping. Meta (formerly known as Facebook) acted against a surveillance service that created fake accounts on Instagram and Facebook to scrape user data.

Similarly, in 2021, Facebook filed a lawsuit against an individual who scraped the data of more than 178 million Facebook users by exploiting the contacts import feature in its Messenger app.