A claimed 2.6 million Duolingo users are at risk of being targets of phishing attacks, as scrapped data leaked on a hacking forum reveals personal details of a user’s Duolingo account.
The scrapped data includes public information as part of a user’s Duolingo profile, including the user’s actual name and login name. However, the leaked data also claims to include email addresses and phone numbers, which is information that can be used in targeted phishing attacks.
The threat actor took advantage of a bug in Duolingo’s open application programming interface (API), which allows anyone to send a legitimate email or username to the API to get user account information. This lets hackers retrieve personal data on a user and validate their email addresses.
As shown by threat intelligence platform FalconFeedsio, the scrapped data of the 2.6 million Duolingo users was initially sold on a now-closed Breached hacking forum in January 2023, with a starting price of $1,500.
Now, this data is up for grabs on a new Breached hacking forum, as spotted by vx-underground. The 2.6 million scrapped dataset is now worth around $2.13 and claims to include users’ names, email addresses, phone numbers, learning languages and more.
As noted by BleepingComputer, the exposed API is still available to anyone. Duolingo previously stated it was investigating the issue but didn’t address the included email information and has yet to solve the API problem. Threat actors continue to use email addresses and usernames to confirm Duolingo user logins, which can lead to targeted phishing attacks.
The popular language learning platform has around 56 million monthly users, meaning more users could be exposed. For more information on what is phishing and the best ways to protect yourself, read on.
- Norton Genie revealed: Try this free AI-powered scam detection tool
- Exclusive: Norton 360 warns ‘data is where the real currency is’
What is Phishing?
Phishing is a form of cybercrime where attackers will trick unsuspecting victims into sending sensitive information or installing malware on their devices. It involves contacting victims via email, text message or telephone and posing as a legitimate company or individual seeking information to benefit the victim. Malicious actors will use social engineering techniques to convince unsuspecting victims they are real.
If you received an email that looks suspicious, you aren’t alone. Scammers often send millions of phishing emails, thousands at a time, to trick recipients, with malicious messages being sent to email addresses found through social profiles or via data breaches. These email scams are widespread, meaning attackers cast a wide net to see how much they can reel in.
Phishing attacks commonly use links in messages to dodgy websites or PDF attachments with malware to quickly gain unauthorised access to user accounts or steal valuable information.
With phishing scams on the rise, it’s best to use proper protection to fend off any suspicious messages you receive. Along with tools like Norton Genie, using other protection methods such as Windows 11 Enhanced Phishing Protection is good practise.
You can find out how to block scam email senders and more with these guides.
Use antivirus software to stop phishing from Duolingo data leak
One of the best antivirus software will stop phishing in its tracks. Many high-standard AV protection offers near-perfect scores when detecting and protecting against malware, meaning even complex malicious software can’t go unnoticed in messages or emails.
Messages from scammers can contain harmful links or attachments filled with malware, which you never want on your device. The good news is you can let one of the best antivirus software services do all the legwork for you, as they have security and privacy features to protect your accounts.
Services such as Avast One, Bitdefender, Norton 360 and more have protection tools that block malicious email addresses, links and attachments. To make sure scams block malware damaging your device or keep you safe from threat actors hacking your phone through texting and more, set yourself up with an antivirus.