October 3, 2023

Threat actors have exposed 2.6 million DuoLingo users` data on the dark web. The sale was posted on August 22nd for a cost of only $2.13. The scraped DuoLingo data was previously for sale on another dark forum, in January 2023, at a cost of $1,500.

The DuoLingo data was scraped due to an exposed API. Starting at least March 2023, researchers publicly shared how to use the API that enables anyone to submit a username and retrieve JSON output with the user’s public profile details.

The API enabled the scraper to use millions of email addresses previously exposed in other data breaches to create a dataset that matched public and non-public information regarding the email addresses owners.

Advertisements

More than 74 million people worldwide use DuoLingo monthly to learn a foreign language. The giant language learning platform is available from a desktop, Android or iPhone. They even offer a version for schools. While some of the data are public, the ability of correlating them to non-public data, such as the email address or phone numbers, poses a risk. Threat actors use this kind of data for phishing attacks and online impersonation.

Although educating employees is a mandatory, you should never rely only on your colleagues` ability to spot a phishing email or a fraud in time. Enforce email security measures and multi-factor authentication to protect your digital assets and prevent a Business Email Compromise attack.

Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: