BleepingComputer reports that major language learning platform Duolingo had data scraped from 2.6 million of its users exposed on the new iteration of the Breached hacking forum seven months after the data was initially being peddled in the now-defunct Breached site.
Threat actors have been selling the user dataset, which includes real and login names, as well as email addresses, for the equivalent of $2.13, according to VX-Underground, which first discovered the posting.
Information included in the leak have been scraped through an exposed application programming interface, which enabled the retrieval of JSON output with user public profile information upon the submission of usernames and email addresses.
Such an API, which may have been used to enable the exposure of DuoLingo accounts through email addresses that may have been obtained by attackers in prior breaches, continues to be available to the public despite having been reported to DuoLingo in January.