Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
Massive Data Breach Exposes Personal Information of 2.6 Million Duolingo Users
Duolingo, one of the most popular educational sites for language learning, has fallen victim to a data breach. The personal information of 2.6 million users has been illicitly scraped and leaked on a dark web hacking forum. The stolen data has provided cybercriminals with a gateway to launch targeted phishing campaigns, exploiting the compromised information.
This information, containing a mix of public login credentials, actual names and email addresses, amongst other data, had been distributed on the dark web as early as January 2023, selling for $1500 via the now disassembled hacking forum ‘Breached’. As of the 24th of August 2023, the value of this stolen data has plummeted and is now being sold for as little as $2.13.
Hackers managed to scrape the data by utilising an openly publicly accessible and openly shared application programming interface (API) maintained by Duolingo. Despite the potential for exploitation, the company had inadvertently left this API accessible on the internet. By leveraging this vulnerability, hackers subjected the API to a massive volume of email addresses, largely sourced from prior data breaches. This tactic allowed them to ascertain the email addresses tied to Duolingo accounts, subsequently constructing purchasable datasets to sell on the dark web.
Another malicious actor also published an additional data scrape upon a new version of the ‘Breached’ forum, where attention was drawn to the fact that specific fields present in Duolingo accounts can indicate higher permission levels on an account. This discovery rendered certain accounts more alluring to hackers due to their elevated permission privileges.
Login credentials and real names on the Duolingo platform are publicly accessible; email addresses remain hidden from public view which has heightened the potential consequences of this data breach. Duolingo has yet to acknowledge the breach at this time, potentially leaving users in the dark about the potential ramifications of the data scraping.
It is not uncommon for organisations to downplay the significance of scraped data, citing that most data is already publicly accessible. However, when this publicly available data is combined with private data such as email addresses and phone numbers, thereby often violating data protection laws.
Remarkably, ‘Have I Been Pwned,’ a website designed to verify whether personal data has been compromised in data breaches, confirmed that the entirety of the scraped data from the Duolingo breach was already present in its database.
Recommendations:
- Users with Duolingo accounts are advised to promptly alter their current usernames, passwords, and email addresses associated with their accounts.
- The consideration of temporarily deleting a Duolingo account until the security vulnerability has been effectively addressed is also prudent.
- Be aware of potential phishing attempts that use scraped data. Recipients should consistently verify the sender’s authenticity and the legitimacy of the email address before opening any messages.
- Promote cyber security awareness so that individuals can identify potential phishing threats.
- Comprehensive guidance is available in our ‘Data Breaches Guidance for Individuals’ download
Related Links:
Related articles
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…
Public Alert: Windows 11 End of Support – Action Required
Microsoft has issued an important reminder that multiple editions of Windows 11 will reach the end of their support lifecycle on 8 October 2024. This…