Millions of Duolingo users have scraped personal data sold online

Duolingo owl square
(Image credit: ilgmyzin/Unsplash)

The data of millions of DuoLingo users scraped from the platform earlier this year is being offered on underground hacking forums for roughly $2 in value. 

Cybersecurity researchers from VX-Underground observed scraped user data of 2.6 million users being sold on the reborn Breached forum for 8 site credits - equivalent to around $2.13.

"Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!," the seller said in an ad posted to the site. 

Heavy discount

The data was first taken in January this year, using an exposed application programming interface (API), and includes a mix of publicly available, and private data. No endpoints were breached in the incident, it seems. Publicly available data includes people’s public login and real names, while private data includes email addresses. It’s the latter that’s particularly concerning, as hackers are always on the hunt for valid email addresses to target with phishing and social engineering attacks.

When the data was first scraped in January, someone tried to sell it for $1,500. 

DuoLingo acknowledged the database to The Record, but only mentioned public profile information. It did not mention that the database contained email addresses, as well. The company operates one of the most popular language-learning applications in the world, with more than 70 million active monthly users. 

In March this year, the company jumped on the AI bandwagon, adding a new virtual tutor that aims to replicate real-world scenarios and help students learn better. The tutor is powered by ChatGPT-4.

Making its home in the new Duolingo Max subscription tier, the tutor consists of two features: Explain My Answer and Roleplay. The former, as its name suggests, gives users the opportunity to, if they’re confused by something in DuoLingo's initial response, ask the chatbot Duo to give a detailed explanation of why their answer was right or wrong.

Roleplay, on the other hand, allows users to engage in a realistic conversation with the AI so they can practice their language skills. According to the company, no two chats will be exactly the same. In one instance, you could be talking to "waiter" as you order coffee at a French café or discussing vacation plans in Spanish with a "friend." And at the end of every Roleplay, Duo will give you some feedback based “on the accuracy and complexity of [your] responses, as well as tips for future conversations.” 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.