Submitted 1 year ago by stopthatgirl7@kbin.social to technology@lemmy.world
The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information.
Do the people that release these get paid somehow? Or do they just do it for hacker cred and say fuck these 2.6M people?
In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500.
…
As first spotted by VX-Underground, the scraped 2.6 million user dataset was released yesterday on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.
“Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!,” reads a post on the hacking forum.
HODL, the value will go up again for sure
This part is also, ummm, interesting...
BleepingComputer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.
They’ll send fake emails where the green owl comes to collect “late fees” for your 216-day streak of missed Spanish lessons.
We’ve been trying to reach you about your language course’s extended warranty…
You’ll have to pay with Google play cards
Both.
Next email from duo: give me your credit card details
Damn, they’ll know I didn’t finish that Spanish lesson the bird bothered me about!
I hope they don’t fucking send me spam.
Depending on how far you got, you might not understand it anyway.
estamos jodidos señor búo
I pray for whoever pisses off the duolingo bird
“Scraped” data suggests that it’s data available on public profile pages. However, the article also says the dump is a mix of public and non-public info. So which is it, scraped or not?
I’m so glad I switched to duck email. Might as well changes it again and block the old email.
DDG email is AMAZING! I only wish it would have been around before my email got exposed.
Only one thing to do… Start over fresh.
I just did this a few months ago, and it feels really good to have a proper set-up now, with privacy respecting companies all around.
Live and learn and share right! 😉
How is that API still up after this has happened?
Is there a list on what data exactly got leaked, that wasn’t public before?
However, Duolingo did not address the fact that email addresses were also listed in the data, which is not public information.
oh non!
RanchOnPancakes@lemmy.world 1 year ago
Oh no. Now they know the aliased email address, unique password, and that I didn’t try very hard to learn spanish.
(please note: this is a joke, I don’t see anything about them getting passwords)
stevedidWHAT@lemmy.world 1 year ago
Something to note here - with AI, if you’re using any sort of heuristic for your password, it’s pretty simple to work out a pretty good set of possibilities which makes brute force even easier and puts you at risk across the board.
Always come up with random passwords that are as random as possible. If there’s a path you took to get to a password, in theory it can be worked backward.
For example I know some people who only change a single letter when changing their passwords which is ultimately trivial to guess if the old password was compromised (hence the need to change the password or the need to proactively work against this possibility)
lobut@lemmy.ca 1 year ago
I use a heuristic to update my main passwords. It’s not a character but easily guessable if you see it in plaintext and now you’ve made me facepalm my actions.
I only use that for certain things because I use Google Oauth or Bitwarden for most things and you’ve just woken me up about what could be exposed.
Tyler_Zoro@ttrpg.network 1 year ago