A bug in the application programming interface (API) of Duolingo allowed access to public information but also to the email of 2.6 million users of the language-learning app, which has now been put up for sale again with the potential to be used in cyberattacks.
The database that has been put up for sale again now it appeared already in January in a clandestine forum, where it was offered for 1,500 dollars (about 1,390 euros). Then, Duolingo ruled out the idea of a ‘hack’ of his platform, claiming that it was about public information that a malicious actor had obtained from data stolen in other security incidents.
Specifically, it contained usernames, courses taken, emails, phone numbers and information on the use of the platform by 2.6 million users. However, and as they have pointed out in Bleeping Computer, some data was not public, as is the case with ’emails’.
These data could be obtained by a failure or ‘bug’ in the Duolingo API, which allowed a malicious actor to enter an ’email’ obtained in another ‘hack’ to access information about the user of the language application. As indicated by the cybersecurity collective VX Undergroundthis failure continues without being solved, despite the fact that the person in charge of the ‘app’ has known about it since January.
No
— vx-underground (@vxunderground) August 21, 2023
The database It is now sold for about 2.13 dollars (1.9 euros) and with the information it contains you can launch phishing attacks in which a malicious actor impersonates a legitimate source, such as a bank, to trick the victim into obtaining sensitive and confidential information such as digital service credentials, or steal money.
From VX Underground they also point to ‘doxing’ attacks which refers to a practice of investigating and publishing private information on the Internet about an individual or an organization, generally with the purpose of intimidating, humiliating or threatening.