In a worrying development for language learners, the data of 2.6 million Duolingo users has been leaked on a hacking forum. This data includes a mix of public and private information, raising concerns about targeted phishing attacks and potential misuse.
Table of Contents
What Data Was Exposed?
The leaked data includes a combination of public and non-public information:
- Public: Login names, real names (as displayed on Duolingo profiles)
- Non-Public: Email addresses, internal Duolingo service information
- Approximately five data points were leaked for each affected email address, including names, usernames, profile pictures, languages, and countries. In some cases, all of a user’s information was exposed.
- Streak (a measure of how consistent users are with the app)
- Profile picture URL
- XP points and crowns (indicating progress on courses)
- Facebook and Google account associations
- User ID
- Creation date
- Name
- Location
- Email verification status
This allows malicious actors to connect publicly available information with private contact details, significantly increasing the potential for targeted attacks.
The breach impacted users worldwide, with the US being the most affected country, followed by South Sudan, Spain, France, and the UK.
How Did This Happen?
The data was scraped using an exposed application programming interface (API) that has been openly accessible since at least March 2023.
Through this API, anyone could submit a username and retrieve a user’s public profile information. More alarmingly, the API allowed confirmation of email addresses associated with valid Duolingo accounts.
Despite reports of the API’s misuse in January 2023, Duolingo has not taken steps to restrict access or address the vulnerability. This lack of action leaves the API open for further abuse and potentially exposes more users’ data.
The scraped data was initially offered for sale on a hacker forum in January for $1,500. It is now freely available on another cybercrime marketplace for a small fee of $2.13.
What Duolingo Says:
- Duolingo claims the data was scraped from public profiles, not through a breach or hack.
- The company added rate limits to the exposed API to make it more difficult for attackers to abuse.
- They encourage users to make their profiles private if they want to protect their information.
What Are the Risks?
The leaked data poses significant risks to users, including:
- Targeted phishing attacks: Malicious actors can use the exposed information to launch personalized phishing attacks, making them more likely to succeed.
- Account takeover: Hackers could use the data to gain access to Duolingo accounts and potentially steal personal information or learning progress.
- Doxing: Hackers could use the leaked information to identify individuals and publish their private details online.
- Spam and marketing campaigns: Leaked email addresses can be used for targeted spam campaigns or sold to other parties.
What Should Users Do?
Here are some steps Duolingo users can take to protect themselves:
- Change your Duolingo password, which is a strong, unique password that is not used for any other account.
- Review your Duolingo privacy settings and make your profile private if you haven’t already.
- Be cautious of emails claiming to be from Duolingo, and do not click on any links or attachments unless you are confident they are legitimate.
- Consider using a privacy-focused email address for Duolingo, This can help to mitigate the risk of your email address being exposed in future leaks.
- Monitor your accounts for suspicious activity and if you notice any unusual activity on your Duolingo account, contact Duolingo support immediately.
What Should Duolingo Do?
Duolingo needs to take immediate action to address this data leak and protect its users. Here are some key steps they should take:
- Secure the exposed API: restrict access to the API and ensure it is not publicly accessible.
- Investigate the scope of the data leak: determine exactly what information was exposed and how many users were affected.
- Notify affected users: inform users about the data leak and provide clear instructions on how to protect themselves.
- Review data security practices: conduct a thorough review of their data security practices and implement necessary improvements.
- Encrypting user data: Encrypting user data at rest and in transit to protect it from unauthorized access.
- Providing users with clear and concise information about how their data is collected, used, and protected.
This incident highlights the importance of data security and the need for companies to be more proactive in protecting user information. Duolingo must take immediate action to restore trust and ensure the safety of its users.