This week, a threat actor dumped the scraped database of 2.6 million Duolingo users, which was earlier sold for a price in a data marketplace.

The dump contains public and private information, like usernames, actual names, email addresses and other internal data. This can be used for targeted phishing attacks, warns security researchers.

Dumping Duolingo Database for More Hacks

With over 74 million monthly active users worldwide, Duolingo is one of the most popular language-learning sites today. Despite this fame, the company has failed to protect its users’ privacy, as a hacker is now sharing their database on a data marketplace.

As noted by VX Underground, a threat actor is selling the scraped database of over 2.6 million Duolingo users on a revamped Breached hacking forum for eight site credits, worth just $2.13.

The same dump was earlier sold for $1,500 and contains a mixture of users’ public login and real names, email addresses and internal information related to Duolingo. Researchers noted that the dataset was created using an exposed Duolingo API, on which several public documentations are available too.

The API allows anyone to submit a username and retrieve JSON output, which contains the user’s public profile information. Using this method, a threat actor can submit an email address into the API to confirm if it is associated with a valid Duolingo account.

As a result, the threat actor has fed millions of email addresses, likely exposed in previous data breaches, to confirm and curate matches email accounts to Duolingo users. Since it contains non-public information like email addresses, a threat actor can use it for targeted phishing attacks, warns researchers.

Another threat actor in the same forum mentioned that specific fields for some Duolingo users indicate them having more permissions than others, making them more valuable targets.

Though companies often dismiss such data scars saying the information was already public, curating them is complicated and sometimes contains sensitive data.