Language level-advanced, security level-beginner.
The personal data of 2.6 million users of the Duolingo platform has been put up for sale. Cybersecurity experts warn of the risks associated with doxing (posting information on the network without a person's consent) and targeted phishing attacks.
The file, which contains more than 2.6 million unique entries, was first posted on one of the hacker forums back in January of this year. There, the initial price was $1,500. Now this information is available on another platform — BreachForums, where it can be purchased for 8 credits, or $2.13.
The list includes email addresses, names, phone numbers, social media links, and other aggregated information such as language proficiency, experience, progress, and achievements.
A database with information about progress, motivation to learn a language, social networks, avatars, etc.
Duolingo acknowledged the problem, saying that the attackers used the method of scraping (automatic collection of information from websites) of public profiles. "There is no reason to think that our systems were compromised. We take security and privacy seriously, " a representative commented on the situation.
According to the company, fraudsters may have used other resources to get email addresses.
Experts from Vx-underground found that the threat comes from an error in the Duolingo API (application programming interface). This interface allows hackers to collect personal data with minimal effort by sending a request to the system with a person's email address or name.
The vulnerability is still not fixed: the data remains available for scraping. This gives attackers a free hand to extract additional information from web resources. For example, you can easily get profile photos and geolocation information.
Since its inception in 2011, more than 500 million people have registered on Duolingo, of which more than 60 million actively use the service every month. The news of the leak calls into question the security of the platform, especially given its scale and popularity.
The personal data of 2.6 million users of the Duolingo platform has been put up for sale. Cybersecurity experts warn of the risks associated with doxing (posting information on the network without a person's consent) and targeted phishing attacks.
The file, which contains more than 2.6 million unique entries, was first posted on one of the hacker forums back in January of this year. There, the initial price was $1,500. Now this information is available on another platform — BreachForums, where it can be purchased for 8 credits, or $2.13.
The list includes email addresses, names, phone numbers, social media links, and other aggregated information such as language proficiency, experience, progress, and achievements.
A database with information about progress, motivation to learn a language, social networks, avatars, etc.
Duolingo acknowledged the problem, saying that the attackers used the method of scraping (automatic collection of information from websites) of public profiles. "There is no reason to think that our systems were compromised. We take security and privacy seriously, " a representative commented on the situation.
According to the company, fraudsters may have used other resources to get email addresses.
Experts from Vx-underground found that the threat comes from an error in the Duolingo API (application programming interface). This interface allows hackers to collect personal data with minimal effort by sending a request to the system with a person's email address or name.
The vulnerability is still not fixed: the data remains available for scraping. This gives attackers a free hand to extract additional information from web resources. For example, you can easily get profile photos and geolocation information.
Since its inception in 2011, more than 500 million people have registered on Duolingo, of which more than 60 million actively use the service every month. The news of the leak calls into question the security of the platform, especially given its scale and popularity.