The scraped data of more than 2.6 million users of the popular language learning app Duolingo has been put up for sale on a dark web hacking forum.
The exposed information includes email addresses, names, and profile pictures. In the wrong hands, this data could be used for nefarious purposes like phishing attacks and other malicious activities.
First reports about the scraped Duolingo data emerged in January 2023, but it appears it was re-released on a new version of the Breached hacker forum this month for eight site credits, worth only $2.13. The same dump was earlier sold for $1,500 for the entire database.
The data was scraped using an exposed Duolingo application programming interface (API), on which public documentation is available.
As the tech news site BleepingComputer noted, this API is still openly available to anyone on the web, even though its abuse was reported to Duolingo in January.
