Brokewell Malware: A Serious Threat to Android Users
A newly discovered Android malware strain named “Brokewell” poses a significant risk to mobile device users. Disguised as legitimate software updates for popular apps like…
Massive Data Breach Exposes Personal Information of 2.6 Million Duolingo Users
Duolingo, one of the most popular educational sites for language learning, has fallen victim to a data breach. The personal information of 2.6 million users has been illicitly scraped and leaked on a dark web hacking forum. The stolen data has provided cybercriminals with a gateway to launch targeted phishing campaigns, exploiting the compromised information.
This information, containing a mix of public login credentials, actual names and email addresses, amongst other data, had been distributed on the dark web as early as January 2023, selling for $1500 via the now disassembled hacking forum ‘Breached’. As of the 24th of August 2023, the value of this stolen data has plummeted and is now being sold for as little as $2.13.
Hackers managed to scrape the data by utilising an openly publicly accessible and openly shared application programming interface (API) maintained by Duolingo. Despite the potential for exploitation, the company had inadvertently left this API accessible on the internet. By leveraging this vulnerability, hackers subjected the API to a massive volume of email addresses, largely sourced from prior data breaches. This tactic allowed them to ascertain the email addresses tied to Duolingo accounts, subsequently constructing purchasable datasets to sell on the dark web.
Another malicious actor also published an additional data scrape upon a new version of the ‘Breached’ forum, where attention was drawn to the fact that specific fields present in Duolingo accounts can indicate higher permission levels on an account. This discovery rendered certain accounts more alluring to hackers due to their elevated permission privileges.
Login credentials and real names on the Duolingo platform are publicly accessible; email addresses remain hidden from public view which has heightened the potential consequences of this data breach. Duolingo has yet to acknowledge the breach at this time, potentially leaving users in the dark about the potential ramifications of the data scraping.
It is not uncommon for organisations to downplay the significance of scraped data, citing that most data is already publicly accessible. However, when this publicly available data is combined with private data such as email addresses and phone numbers, thereby often violating data protection laws.
Remarkably, ‘Have I Been Pwned,’ a website designed to verify whether personal data has been compromised in data breaches, confirmed that the entirety of the scraped data from the Duolingo breach was already present in its database.
Recommendations:
- Users with Duolingo accounts are advised to promptly alter their current usernames, passwords, and email addresses associated with their accounts.
- The consideration of temporarily deleting a Duolingo account until the security vulnerability has been effectively addressed is also prudent.
- Be aware of potential phishing attempts that use scraped data. Recipients should consistently verify the sender’s authenticity and the legitimacy of the email address before opening any messages.
- Promote cyber security awareness so that individuals can identify potential phishing threats.
- Comprehensive guidance is available in our ‘Data Breaches Guidance for Individuals’ download
Related Links:
Related articles
Dropbox Sign Breach Exposes Customer Data
Cloud storage giant Dropbox has recently disclosed a data breach affecting its eSignature service, Dropbox Sign (formerly HelloSign). The incident highlights the ongoing risks businesses…
Social Media Fraud: The Evolving Threat and How to Defend Yourself
Social media platforms offer connection and entertainment, but they’ve also become a hunting ground for sophisticated scammers. These criminals are increasingly turning to a combination…