DuoLingo investigating dark web post offering data from 2.6 million accounts
Language learning platform DuoLingo said it is investigating a post on a hacking forum offering information on 2.6 million customer accounts for $1,500.
A spokesperson for the company said they are aware of the post, which was created on Tuesday morning and offers emails, phone numbers, courses taken and other information on how customers use the platform.
“These records were obtained by data scraping public profile information,” a spokesperson said.
“No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.”
In the post, the hacker said they obtained the information from scraping an exposed application programming interface (API) and provided a sample of data from 1,000 accounts.
The DuoLingo database (scraped) has been listed for sale in a hacker's forum. According to the user, the claimed data contains 2.6 million account entries.#databreach #cyberrisk pic.twitter.com/7jttRnncpM
— FalconFeedsio (@FalconFeedsio) January 24, 2023
The scraping of social media sites and platforms like DuoLingo is a widespread problem for many of the biggest tech companies.
There are now a number of tools that allow people to scrape APIs and extract troves of data from websites. Sometimes the information is public but in many cases it is exposed through links to other sites.
Two weeks ago, Meta filed legal action against a surveillance service which it accused of creating fake accounts on Instagram and Facebook for the purpose of scraping user data.
In October 2021, Facebook also sued a Ukrainian man who scraped the data of more than 178 million Facebook users between January 2018 to September 2019.
Facebook said the man abused its contacts import feature in its Messenger mobile app and follow-up research showed that several other social networks like Signal and Telegram were vulnerable to scraping attacks via contacts importing features.
In April 2021, the phone numbers of 533 million Facebook users were shared on a hacking forum after a hacker said they collected them by scraping Facebook.
That same year, a hacker offered data from more than 700 million LinkedIn users.
Human Security said in 2022 that web scraping increased 240% year-over-year, mostly because of the use of bots by cybercriminals.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.