By REBECCA RUTHERFORD
For the Los Alamos Daily Post

Duolingo owl would be very disappointed to discover that the data of 2.6 million users was scraped from its website and is now being sold on the dark web … In January 2023 cybersecurity researchers discovered the data of 2.6 million users being sold on the dark web, with a starting bid of $1,500. Duolingo is a fun language learning app used by over 74 million users worldwide.

Scraping data from social media and other websites isn’t new; aside from cyber criminals, private businesses such as data brokers download this type of information to use for marketing purposes. The stolen data includes usernames, real names and user email addresses. But, in this case, the email addresses of the Duolingo users weren’t publicly available and were obtained by exploiting an exposed API. The flaw has been on the Duolingo site since January 2023 and the company has yet to fix it.

At the time of the original attack, Duolingo confirmed that it was aware of the data scraping, and they were investigating precautions users might need to take. Sadly, the company failed to address the fact that the email addresses were not publicly available data, or to fix the exposed API.

The original forum where this data was for sale has been shut down, but according to security researchers at vx-underground, the data just went up for sale again on 08/21 in a new forum, for about $2. Yikes. With real name, username, and valid emails, crafting a targeted phishing email will be child’s play. Not only can the bad guys use this to steal personal or financial information, they could also use the phishing emails to convince users to install malware on their devices.

If you are a Duolingo user you need to be aware that your data may have been exposed, leaving you a potential victim to these highly targeted phishing emails.

How can you stay safe from a phish?

• Always review the sender’s address. Is the email actually from who it claims to be from, or is it from a fake or spoofed email address? See example below of an email I received trying to pose as paypal. Note the sender name is displayed as “pp depart” (I won’t even delve into the grammatical oddities of that gem), yet it is clearly a gmail address.  Also note how the email helpfully informs me it was “scanned by Gmail”, another clue this is a phishing email.

• Keep an eye out for poor grammar and misspellings; AI may be helping to increase the quality of phishing emails but this is still one to watch for.
• Watch out for language that tries to instill a sense of urgency, trying to scare you into responding without thinking and falling for the phish.
• Make sure that you are using a good antivirus to protect yourself from possible malware you might stumble into via clicking a bad link or opening a malicious attachment.

Duolingo has yet to release an official response to this incident, but for now users of the Duolingo service should be aware, and suspicious, since their information could be in the hands of cyber criminals crafting up some very convincing phishing emails.

Stay safe, be aware, and don’t click that phish!

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.