An X post (previously tweeted) by user @vx-underground stated that a threat actor scraped data of over 2.6 million Duolingo users and posted it on the latest version of the hacking forum ‘Breached.’ BleepingComputer confirmed the breach in its recent post.
Apparently, the hackers gathered the data by manipulating existing vulnerabilities present in the Duolingo API, enabling access to user’s personal data, contact details, addresses, and much more, all by sending a valid email to the API.
The hackers further succeeded in finding active Duolingo users by feeding millions of email addresses to the vulnerable API. The email IDs were then used to create a dataset that contained public and non-public information. As an alternative, it is also feasible to supply a username to the API in order to obtain JSON output that contains sensitive user information.
But this is not the first time that this information has surfaced online. Falcon Feeds raised awareness of this problem via an X post in January. The scraped database was offered for sale for $1,500 on a previous iteration of the Breached hacker forum. Personal information about individuals, including email addresses, phone numbers, photographs, privacy settings, and much more, was revealed in the data.
Earlier, Duolingo had confirmed the da
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: