2.6 million Duolingo users email addresses exposed…Again

Yesterday, as spotted by VX-Underground, the scraped data of 2.6 million users of DuoLingo, one of the largest language learning sites in the world, was re-leaked on a hacking forum and offered for just $2.23.

This past January, Duolingo had the scraped data of the 2.6 million users on a now-shutdown hacking forum for $1,500. The data included login names and full names only, which DuoLingo confirmed was data from public profiles. DuoLingo claimed they were investigating whether further precautions should be taken, but they did not address the fact that email addresses, not publicly available, were also in the dataset. 

The latest data set was scraped using an exposed API that is currently open and has been since at least March 2023, and allows anyone to submit a username and retrieve the user’s public profile information. Meanwhile, one can also feed an email address into the API and confirm if it is associated with a valid DuoLingo account.

George McGregor, VP, Approov had this to say:   

“This unfortunately makes Duolingo look extremely negligent for a number of reasons     

“Lets list out some of the issues: 

  • The API returning public profile data based on a username without any other checks 
  • Automated scraping was possible because scripts can be run against the API: in other words  no backend check that requests are coming from a genuine app
  • The issue had actually been previously identified but not addressed

    “A good mobile security solution can be used to address these issues and restrict API access to properly validated app instances.” 

The fact that this has happened before to DuoLingo before is bad, and makes it an app to avoid. Too bad that you don’t know how good the security of other apps is before you use them. Thus all app makers have to step up on this front.

Leave a Reply

%d bloggers like this: