Targeted Phishing Risk for 2.6 Million Duolingo Users

Data relating to 2.6 million users of the popular language learning platform Duolingo has been offered for sale on a hacking forum.

The dataset was originally listed on the now-defunct Breached forum for $1,500 (€1,400) in January, but was recently relisted on a new version of the forum for 8 site credits – worth just $2.13 (€2).

According to BleepingComputer, the dataset was compiled by scraping the Duolingo site using an exposed API (application programming interface) “that has been shared openly since at least March 2023”.

However, Duolingo denied that the API was exposed: Cybernews reports that a spokesperson commented that it was “intentionally made public to help our learners find friends who are also using Duolingo. Duolingo learners have the option to make their profiles private if they would prefer not to have their profiles publicly searchable”.

Irrespective of Duolingo’s intentions, a data scraper used the API to compile a dataset of Duolingo users by submitting email addresses that had been compromised in other breaches, and confirming which were associated with active Duolingo accounts.

Having investigated the issue further, the company confirmed that “that this was not a breach or a hack; it was a scrape of data from public Duolingo profiles. No Duolingo systems or private user data were compromised”.

However, it did recognise that the API’s potential misuse by attackers was a data privacy and security concern.

It continued: “as a precautionary measure we have taken some steps to limit this from happening again. We have put in place rate limits on the specific API endpoint to make it more difficult for attackers to abuse. We take data privacy and security seriously and will continue to constantly evaluate our security measures to ensure learner safety”.

What is data scraping?

Data scraping or web scraping is a (typically automated) process that extracts information from websites, which is then exported into a useful format such as a spreadsheet.

Although it’s not viewed as hacking as the information it accesses is publicly available, the practice can allow criminals to compile datasets containing personal information that can be used to facilitate other attacks.

This is the case with Duolingo.

According to Cybernews, the data scraped from Duolingo contains “email addresses, usernames, names, and phone numbers (if provided by the user), information about social networks, and other generic info such as language studies, experience, progress and achievements”.

Increased risk of phishing attacks

If you use or have used Duolingo, the exposure of this data – and its sale – potentially puts you at risk from targeted phishing attacks. As a precaution, you should be extra vigilant about phishing emails purporting to come from Duolingo.

Phishing attacks work by impersonating trusted senders, tricking victims into opening malicious attachments or clicking on links to cloned websites that download malware.

Usually, you can detect them by looking out for certain signs, such as poor spelling and grammar, the fact that they don’t address you by name, and their attempts to persuade you to act quickly by creating a false sense of urgency.

Armed with the information they have scraped from Duolingo, however, attackers can enjoy a greater semblance of authenticity: if you receive an email purporting to come from Duolingo that uses your account information, you’re much more likely to believe it comes from Duolingo itself.

Combine this with the fact that AI makes it increasingly easy for attackers to craft and send plausible emails, and the risk of falling victim increases significantly.

Phishing Staff Awareness E-Learning Course

More than 90% of successful cyber attacks originate in phishing, making it the single biggest security threat your organisation faces.

Mitigating the risk is therefore critical to your information security strategy.

It’s not just a matter of implementing anti-malware software and email filtering solutions, as some malicious content will always make it as far as a recipient’s inbox.

It’s also essential to ensure your staff are appropriately trained to beware of the risks they face, recognise the signs of a phishing email and know what to do if they do accidentally open one.

You can learn more about phishing attacks – and how to mitigate them – with IT Governance’s short Phishing Staff Awareness E-Learning Course.

This online course explains everything you need to know about scams, from phony text messages and emails to telephone con artists.

Your staff will learn about specific cons, the consequences of a successful attack, and how to identify a bogus message before it’s too late.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.