Duolingo is one of the world’s most popular language-learning apps, boasting dozens of millions of active monthly users. However, early in 2023, news broke that Duolingo had suffered a data breach that exposed the data of over 2.5 million users.
The breach leaked public and private user information, including real names, email addresses, phone numbers, and enrolled courses. Here’s what you need to know.
The Duolingo Data Breach: What Happened?
The public learned of the issue in January 2023, when data from 2.6 million customer accounts was put up for sale on a hacking forum for $1,500.
The forum is now closed. However, security researchers from VX-Underground found the data being sold on a new version of the forum for eight site credits, which translates to about $2.13.
The hacker claims to have scraped the data from an exposed API and shared a sample from 1,000 accounts. The attacker likely fed email addresses from past breaches into the API to check if they were linked to active Duolingo accounts, creating a dataset with public and non-public data.
The explanation from a Duolingo spokesperson is that the data was scraped from public profile information. However, it’s hard to accept this assertion fully since the scraped data included users’ real names, public logins, language-learning progress, and email addresses, which are typically not public.
Who Was Affected by the Duolingo Hack?
According toa Surfshark research, the Duolingo data breach hit the US hardest, affecting almost 1 million accounts. South Sudan ranked second with 175,000 impacted accounts, followed by Spain (123,000), France (105,000), and the UK (98,000).
Each compromised email account had around five data points leaked, including their name, username, profile picture, language, and country. In some cases, all of a user’s details were exposed.
What Happens to the Scraped Data Next?
Data brokers often collect scraped social media data and sell it to third parties for various purposes, including marketing. Cybercriminals, however, may use the leaked data of Duolingo users to executesocial engineering attacks, like targeted phishing attacks, using the victims’ real names and valid email addresses.
Those affected could receive tailored phishing emails—like discounted language courses—thanks to leaked names, Duolingo course progress, and home country details. These emails could also include travel invitations to countries where the language you’re learning is spoken.
The cybercriminals may also impersonate Duolingo and send emails with links to what appears to be the paid version of Duolingo or a premium course. If you click these links and enter your payment details, the attacker can steal your information.
How to Deal With the Duolingo Data Breach
Data scrapping from websites and apps is a well-known issue affecting many major tech companies. For instance, in April 2021,data from around 500 million LinkedIn users was scraped.
If you suspect your data was leaked in the breach, there are steps you can take to address it. One of them is checking if your information was compromised byvisiting the HaveIBeenPwned website. This claims all the breached Duolingo data was already in its database.
To prevent phishing, carefully inspect emails, especially urgent ones. Verify sender addresses, don’t click on suspicious links and attachments, and consider installing antivirus software for enhanced protection against malware in phishing emails.
Beware of impersonation attacksand never share sensitive information like usernames and passwords via email, as Duolingo doesn’t ask for such details in emails. Also, follow vendor advice, change your password, and consider setting up two-factor authentication.
What if you’re unsure about the security measures Duolingo took to protect user data? Or perhaps you have doubts about the effectiveness of your actions? In that case, you may try outother language-learning apps.
Protect Your Data and Strengthen Your Defenses
Data breaches have become increasingly common, and the stolen details can serve various purposes, from marketing to cyberattacks, including phishing attempts. Currently, malicious actors have access to many Duolingo users’ information, including their real names and email addresses.
To address data breaches, users should take proactive steps, including learning how to identify potential breaches and impersonation attempts and combat phishing attacks.
