With cyber security breaches on the rise, it has become significantly important for organizations to employ stringent data protection measures to ensure the security and integrity of user data. But no matter how careful organizations are, bad actors somehow find a way to breach security to extract sensitive data. Just last week, a third-party companion app for Discord, Discord.io, suffered a data breach, resulting in its temporary shutdown. And now, the popular language learning app, Duolingo has fallen victim to a data breach. Read on to find out what Duolingo data the hackers have access to and what the company is doing about it.

According to an X post (formerly tweet) made by @vx-underground, a threat actor extracted 2.6 million scraped Duolingo user data and posted it on a new version of the popular hacking forum Breached. The breach was confirmed by BleepingComputer in a recent blog post. And the worst part is that this information has been made available on the forum for 8 site credits, worth only $2.13, which is practically nothing.

This data was collected by manipulating an existing bug in the Duolingo API that allowed the bad actor to obtain personal user information such as their email IDs, contact details, addresses and more, by sending a valid email to the API : the. A threat actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information about the user (name, email address, languages studied). They used a mailing list to compile over 2.6 million unique records. This will be used for doxxing.— vx-underground (@vxunderground ) August 21, 2023

A threat actor identified a bug in the Duolingo API. Sending a valid email to the API returns generic account information about the user (name, email address, languages studied). They used a mailing list to collect over 2.6 million unique records. This will be used for doxxing.— vx-underground (@vxunderground ) August 21, 2023