Remember when Rosetta Stone was the largest language-learning source on the internet? Just about everyone either heard of it or made use of its products. Times have changed and so have the top players in various fields. Thus, Duolingo has since snuck its way to the top, providing one of the most downloaded apps out there for learning a new language.
Of course, such popularity puts a mighty big target on your head when it comes to those looking to do no good. Leading to increased risks of penetration by hackers looking to get their hands on vast amounts of data. And this is exactly what they did when hackers snuck into Duolingo’s systems and stole the data for 2.6 million users.
The breach was originally discovered earlier in the year (January) when the information came up for sale on a known hacker forum called Breached for $1,500. Information included things like username, actual name,
email address, phone number, and more. Duolingo has claimed the information was simply scraped from the public portion of its site. However, the information contained more than just public information, which had raised a lot of concerns.
“Our investigation confirmed that this was not a breach or a hack; it was a scrape of data from public Duolingo profiles. No Duolingo systems or private user data were compromised. Regardless, as a precautionary measure, we have taken some steps to limit this from happening again. We have put in place rate limits on the specific API endpoint to make it more difficult for attackers to abuse. We take data privacy and security seriously and will continue to constantly evaluate our security measures to ensure learner safety.” — Duolingo
Although that forum was eventually taken down, it didn’t stop the information from popping up somewhere else. Which is exactly what has happened recently. Now, the information is yet again in the wild. Posted once again on a newly discovered copy of the Breached forum. However, this time the hackers are offering the information for not much more than $2.
Due to the fact that non-public information was included in the leak, this creates multiple assumptions that it could have been acquired by more than just scraping openly available public info.
Thus this could lead to a heavier investigation that could resulting in privacy concerns and more.
Update: Duolingo has reached out explaining that email addresses contained in the leak were obtained from other sources. Those email addresses where used with Duolingo’s API to match with usernames by using the “Find My Friends” feature. Users are able to make their profiles private so that this type of search cannot be used.