Duolingo data leak

A claimed 2.6 million Duolingo users are at risk of being targets of phishing attacks, as scrapped data leaked on a hacking forum reveals personal details of a user’s Duolingo account.

The scrapped data includes public information as part of a user’s Duolingo profile, including the user’s actual name and login name. However, the leaked data also claims to include email addresses and phone numbers, which is information that can be used in targeted phishing attacks.

The threat actor took advantage of a bug in Duolingo’s open application programming interface (API), which allows anyone to send a legitimate email or username to the API to get user account information. This lets hackers retrieve personal data on a user and validate their email addresses.

As shown by threat intelligence platform FalconFeedsio, the scrapped data of the 2.6 million Duolingo users was initially sold on a now-closed Breached hacking forum in January 2023, with a starting price of $1,500.

Duolingo Scrapped Data leak post
Duolingo scrapped user data leak post via FalconFeedsio

Now, this data is up for grabs on a new Breached hacking forum, as spotted by vx-underground. The 2.6 million scrapped dataset is now worth around $2.13 and claims to include users’ names, email addresses, phone numbers, learning languages and more.

As noted by BleepingComputer, the exposed API is still available to anyone. Duolingo previously stated it was investigating the issue but didn’t address the included email information and has yet to solve the API problem. Threat actors continue to use email addresses and usernames to confirm Duolingo user logins, which can lead to targeted phishing attacks.

The popular language learning platform has around 56 million monthly users, meaning more users could be exposed. For more information on what is phishing and the best ways to protect yourself, read on.

See more:

What is Phishing?

Phishing is a form of cybercrime where attackers will trick unsuspecting victims into sending sensitive information or installing malware on their devices. It involves contacting victims via email, text message or telephone and posing as a legitimate company or individual seeking information to benefit the victim. Malicious actors will use social engineering techniques to convince unsuspecting victims they are real.

If you received an email that looks suspicious, you aren’t alone. Scammers often send millions of phishing emails, thousands at a time, to trick recipients, with malicious messages being sent to email addresses found through social profiles or via data breaches. These email scams are widespread, meaning attackers cast a wide net to see how much they can reel in.

Phishing attacks commonly use links in messages to dodgy websites or PDF attachments with malware to quickly gain unauthorised access to user accounts or steal valuable information.

Hackers will also resort to installing malicious software, including spywareransomwareadware and more, onto a victim’s device to cause more damage.

With phishing scams on the rise, it’s best to use proper protection to fend off any suspicious messages you receive. Along with tools like Norton Genie, using other protection methods such as Windows 11 Enhanced Phishing Protection is good practise.

You can find out how to block scam email senders and more with these guides.

Use antivirus software to stop phishing from Duolingo data leak

One of the best antivirus software will stop phishing in its tracks. Many high-standard AV protection offers near-perfect scores when detecting and protecting against malware, meaning even complex malicious software can’t go unnoticed in messages or emails.

Messages from scammers can contain harmful links or attachments filled with malware, which you never want on your device. The good news is you can let one of the best antivirus software services do all the legwork for you, as they have security and privacy features to protect your accounts.

Services such as Avast OneBitdefenderNorton 360 and more have protection tools that block malicious email addresses, links and attachments. To make sure scams block malware damaging your device or keep you safe from threat actors hacking your phone through texting and more, set yourself up with an antivirus.

Darragh Murphy
Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from the mischievous world of online security to washing machines designed for earbuds. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for laptops into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. When he's not checking out the latest devices and all things tech, he can be found swimming laps, watching terrible shark movies, and trying to find time to game.  Previous Editor at Laptop Mag and News Editor at Time Out Dubai, specialising in food culture, nightlife events, gaming, tech and entertainment.


Please enter your comment!
Please enter your name here