Image default

If you ever used Duolingo, watch out for phishing emails

duolingo logoImage: Duolingo

Users of language-learning site Duolingo have a painful lesson to review right now—once your personal data is out on the web, there’s no taking it back. Worse still, the more you’ve shared about yourself, the more you have to be wary of targeted phishing attacks.

According to Bleeping Computer, about 2.6 million accounts are directly affected. Public and private data was scraped from them through an exposed application programming interface (API), and then offered on a hacking forum back in January. Login and real names, email addresses, phone numbers, and courses studied were part of the collection, which went for $1,500. Now that data has resurfaced on a different forum, and at a substantially lower cost of just a few dollars.

The API that yielded these user details is also still publicly available. Username queries will retrieve public profile details, while submitting an email address (like obtained through another data breach or scraped data collection) reveals private data like profile images, location, and if a Facebook or Google account was linked, as researchers discovered. All together, these pieces of data can help scammers and hackers craft more tailored phishing attempts.

Bleeping Computer

Unfortunately, Duolingo users can’t expect much protection from the service. When this data first appeared, the company characterized the lost data as “public profile information” in a statement to The Record. It also has yet to answer Bleeping Computer’s recent questions about why the API is still publicly available.

So what can you do? First and foremost, keep up with your normal online security practices. In particular, avoid opening email from unfamiliar senders as much as possible, and especially don’t click on links or download files from them. (Same goes for text messages.) Use unique, strong passwords for every website and app, too, and store them in a secure password manager.

You can also anonymize your profiles online. Remove your real name, disconnect your Google and Facebook accounts, and upload a generic avatar image. Consider using a masked email address (or at least, a second email address meant just for fun services and email lists) as well. It can make telling apart real email from phishing attempts a little easier.

Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering software, PC building, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.

Recent stories by Alaina Yee:

Best antivirus software 2024: Keep your PC safe from malware, spyware, and moreMicrosoft says you should always ask this one security question to avoid scamsAVG Internet Security review: Reliable, budget-friendly antivirus software

Related posts owner Automattic acquires multiservice messaging app Beeper for $125M


Origin PC's EVO15-S is a customizable Nvidia Max-Q laptop


Save $350 on this RTX 4060-powered HP gaming laptop


Leave a Comment