Learning a new language can be difficult, which is why Duolingo has grown into such a popular service that boasts more than 74 million monthly users worldwide. However, 2.6 million of those Duolingo users are now at risk of targeted phishing attacks, after hackers leaked their personal information online.
As reported by BleepingComputer, a hacker posted on a dark web forum back in January that they were selling the scraped data of 2.6 million DuoLingo users for $1,500. Besides public logins and real names, this collection of scraped data also included non-public personal information such as user email addresses and internal information from Duolingo.
Scraping data from social media platforms and other websites is nothing new; besides hackers, private businesses such as data brokers often download this type of information to use for marketing purposes. However, in this case, the email addresses of Duolingo users weren’t publicly available and were instead obtained by exploiting an exposed API.
At the time, Duolingo confirmed to TheRecord that it was aware that hackers had scraped public profile information from its language learning platform and that it was investigating any additional precautions that should be taken. However, the company did not address the fact that users’ email addresses were also contained in this scraped data.
Scraped email addresses
While the dark web forum in which this Duolingo user data was first advertised has since been shut down, the scraped data has now been released on a new version of the forum at a much lower price, just over $2.
In a post on X (formerly Twitter), VX-Underground explained that the hacker behind this data leak identified a bug in Duolingo’s API that provides a user’s name, email and all of the languages they’ve studied when a valid email is sent to it. From here, the hacker responsible “used an email list to assemble over 2.6m unique entries.”
Unfortunately, this bug in Duolingo’s API is still active and BleepingComputer was able to test it out for themselves. Until this is fixed, anyone can obtain the email addresses of the service’s users.
With a real name and valid email address in hand, hackers have all the information they need to launch targeted phishing attacks against Duolingo’s users. Unlike regular phishing emails, these messages would be much more personalized since the hackers sending them out have more information to work with. At the same time, they could also try to impersonate Duolingo in their messages in the hope that potential victims would be more likely to click.
Besides trying to steal your money, hackers could use these targeted phishing emails to get Duolingo users to install malware on their computers or to provide their credentials or even their payment information since the service does have a paid tier called Super Duolingo.
How to stay safe from phishing scams
In order to avoid falling victim to phishing, you need to carefully examine all of the emails that arrive in your inbox.
This means looking at the sender’s address and checking to see if it’s a legitimate email address used by Duolingo. From here, you'll want to look out for misspelled words and poor grammar as these are a major red flag when it comes to phishing emails. You also want to avoid clicking on any links or downloading any attachments these suspicious emails may contain.
Likewise, you'll want to be on the lookout for language that tries to instill a sense of urgency, as hackers and other cybercriminals often use your emotions against you. If you’re worried about a potential deadline or losing access to your Duolingo account, you’re more likely to reply or do what a scammer suggests in their phishing email.
For additional protection against malware or any other threats phishing emails may contain, you should install the best antivirus software on your PC, the best Mac antivirus software on your Mac or one of the best Android antivirus apps on your smartphone.
We'll have to wait and see how Duolingo responds to this incident, but in the meantime, Duolingo users need to be extremely cautious as their real names and email addresses could be in the hands of hackers right now.
