Cybersecurity briefings reveal that the scraped data of 2.6 million Duolingo users was leaked on a hacking forum. DuoLingo is an educational platform most famous for its language learning programs.
The shared sample of data contains email addresses, usernames, names, and phone numbers, and information about social networks. It was initially out up for sale at the usual high price but the hackers have subsequently lowered the price for the data.
It is feared that the leaked data will be used for the practice of ‘doxxing’. This is a type of cyberattack aimed at discovering a person’s real identity.
Looking into the implications of this latest incident for Digital Journal are Max Gannon, Senior Cyber Threat Intelligence Analyst at Cofense, and Jason Kent, Hacker in Residence at Cequence Security.
According to Gannon, the data has a limited value to the criminals, who perhaps targeted a source that is not especially lucrative: “The scraped data doesn’t have much value outside of targeted attacks where the attacker spoofs DuoLingo, this is demonstrated by the fact that the dump is now only worth $2.13.”
However, there are still implications for the users impacted. Here Gannon advises: “The only mitigation steps that can be taken are for users of DuoLingo to be particularly suspicious of potentially spoofed communications.”
For Kent the incident exposes some structural weaknesses in the computer systems of DuoLingo: “The Duolingo data breach highlights the vulnerabilities posed by poorly secured APIs and the potential for business logic abuse by threat actors. In this case, the breach was not a result of traditional hacking methods but rather the exploitation of an exposed API that had been openly shared since at least March 2023.”
In terms of what then happened, Kent explains: “Threat actors leveraged content scraping to obtain sensitive user data, which they subsequently leaked on a hacking forum. This exposed information enables threat actors to execute targeted phishing attacks and could lead to more severe consequences, such as intellectual property loss, increased IT costs, and potential customer attrition due to a compromised user experience.”
In terms of the attack modus, Kent assesses: “This incident underscores that not all attacks on digital resources involve traditional hacking techniques. Instead, attackers are increasingly focused on manipulating the functionalities of web apps, mobile apps, and APIs using automated tools like bots.”
In terms of learning from the errors, Kent details: “To mitigate the risks posed by content scraping attacks, organizations must adopt robust security measures encompassing traditional cybersecurity practices and newer strategies to defend against business logic abuse.”
Furthermore, Kent recommends: “Ensuring API security, conducting regular security audits, implementing access controls, and staying informed about emerging threats are vital steps to protect valuable user data and uphold customer trust.”
