The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information.
Next email from duo: give me your credit card details
deleted by creator
“Mi Numero del Seguridad Social es…”
Do the people that release these get paid somehow? Or do they just do it for hacker cred and say fuck these 2.6M people?
In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500.
…
As first spotted by VX-Underground, the scraped 2.6 million user dataset was released yesterday on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.
“Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!,” reads a post on the hacking forum.
HODL, the value will go up again for sure
This part is also, ummm, interesting…
BleepingComputer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.
They’ll send fake emails where the green owl comes to collect “late fees” for your 216-day streak of missed Spanish lessons.
We’ve been trying to reach you about your language course’s extended warranty…
You’ll have to pay with Bed Bath and Beyond gift cards.
Both.
Oh no, not my German and Japanese scores!!!
I guess the email could become a spam target?? Gmail does a good job sorting that for me.
They’ll know my very poor scores :(.
Damn, they’ll know I didn’t finish that Spanish lesson the bird bothered me about!
They’ll know I’m ~1800 days into French and still shit at it.
The shame!
Salut! Enchanté, ça va bien?
Je vais bien, et vous?
Très bien!
Hallo en dag!
Bonjour!
That means “‘Sup?”
I hope they don’t fucking send me spam.
Depending on how far you got, you might not understand it anyway.
Quieres una gran verga? Haz click aquí!!!
Mucho dinero en tu futuro! USD$80,000,000,000 Euro!
That’s the thing that annoys me most about Duolingo: if they’re going to show you ads, the least they could do is show you ones in the language you’re trying to learn instead of your native one.
“Scraped” data suggests that it’s data available on public profile pages. However, the article also says the dump is a mix of public and non-public info. So which is it, scraped or not? It’s an important distinction, because data collection by scraping is technically not a breach.
Take this with a pinch of salt but what I’m gathering is that it’s essentially just taking people’s public profiles but the Duolingo api also exposes users’ e-mail addresses (and possibly other info) that isn’t normally displayed as part of the user’s public profile via their app.
In essence, they’re exposing more data than they probably should be and users were not really aware that data was being made public - that’s why people are upset about it.
Ok, this makes sense – in which case the API should not be exposing data that isn’t otherwise available on the public profile, so that is significant.
Is there a list on what data exactly got leaked, that wasn’t public before?
However, Duolingo did not address the fact that email addresses were also listed in the data, which is not public information.
From the Article, emphasis by me
Rip my email I use specifically for organizations I don’t trust
How is that API still up after this has happened?
I only see this comment, but it says 53 comments. I just want to know why they didn’t tell their userbase.
I see the same thing. However if you go to the link to this post on kbin.social, you can see the other comments. It’s weird. https://kbin.social/m/technology@lemmy.world/t/371933 Edit: the hyperlink won’t display properly in this comment. You have to copy the whole link and paste it in your browser.
Lemmy and kbin have been having some federation issues lately, which might be why you’re only seeing one comment.
I pray for whoever pisses off the duolingo bird
oh non!