Are Your Details Safe? Duolingo Users Face Massive Data Leak

When using any app or browsing online, how secure is your personal information? Duolingo, the popular language learning app, has recently suffered a significant data breach, exposing the personal data of over 2.6 million users.

The security lapse occurred in January 2023 and has put a spotlight on the vulnerability of Duolingo’s API (application programming interface). The API had been exposed for months, allowing anyone to access both public and private user information by simply entering a username or email. Despite this vulnerability being publicly documented by several researchers, Duolingo took no action to rectify it, according to OK Diario.

The Hacker’s Market

In January 2023, a hacker exploited this weakness and extracted the data of 2.6 million Duolingo users. The hacker initially attempted to sell the dataset for $1,500 on the now-defunct Breached forum. However, finding no buyers, the hacker later offered the data on another version of the same forum for a mere eight credits, roughly equivalent to $2.13.

The leaked data includes not just public information like usernames and real names, but also private details such as email addresses, which are not publicly visible on Duolingo profiles. These emails could be weaponised by cybercriminals to send fraudulent messages, impersonating Duolingo or other organisations, in an attempt to trick users into revealing their login credentials for other digital services or transferring money to scam accounts.

Duolingo, which boasts over 74 million monthly active users, has confirmed the data breach. However, the company has downplayed its significance, stating that it involves only public information. They have yet to explain why they did not fix the API vulnerability or warn their users about the risks they face.

Expert Advice

Cybersecurity experts recommend that Duolingo users change their passwords and enable two-step verification where possible. Users should also be vigilant for any suspicious emails and avoid clicking on any links or downloading attachments without verifying their authenticity. Additionally, it’s advisable to regularly review bank statements and transactions, reporting any irregularities.