Language learning platform DuoLingo is actively investigating a potential security breach after a post on a hacking forum surfaced, offering access to 2.6 million customer accounts for a price of $1,500.
While no breach or hack has been confirmed, the post raised concerns by providing information such as emails, phone numbers, and course data, all gleaned from data scraping public profile information. DuoLingo’s spokesperson emphasized their commitment to data privacy and security, assuring users that they are taking the matter seriously and conducting an investigation to assess if further protective measures are necessary.
The hacker behind the post claimed to have acquired the data by scraping an exposed application programming interface (API), shedding light on the persistent issue of data scraping faced by major tech companies. This problem has been exacerbated by the availability of tools that empower individuals to extract vast amounts of data from websites, often exploiting API vulnerabilities or links to external sites.
Recent legal actions, such as Meta’s lawsuit against a surveillance service, illustrate the ongoing battle to combat data scraping activities. These activities have seen a significant increase, with a reported 240% year-over-year rise, primarily due to the use of bots by cybercriminals, as noted by Human Security.
Data scraping has been a concern for several major platforms in recent years. Facebook, for example, has previously taken legal action against individuals who scraped user data, leading to lawsuits against data scrapers in 2021.
In 2022, Human Security reported a substantial year-over-year increase in web scraping, highlighting the need for stronger security measures to protect user data from unauthorized access and potential misuse by cybercriminals.