Threat Actors Leak 2.6 Million DuoLingo Users` Data on Hacking Forum
Other Hackers Can Use the Exposed Data in Targeted Phishing Attacks.
Malicious actors exposed 2.6 million DuoLingo users` data on the dark web. The announcement posted on August 22nd made the data available for a cost of only $2.13. The scraped DuoLingo data was previously for sale on another dark forum, in January 2023, at a cost of $1,500.
How Did Hackers Obtain the Data
The DuoLingo data was scraped due to an exposed API. Starting at least March 2023, researchers publicly shared how to use the API that enables anyone to submit a username and retrieve JSON output with the user’s public profile details. According to BleepingComputer, the API remained openly available, even though DuoLingo knew about its abuse in January.
The API enabled the scraper to use millions of email addresses previously exposed in other data breaches to create a dataset that matched public and non-public information regarding the email addresses owners.
Due to the data leakage malicious actors worldwide gained access to a database that contains user names, email addresses, phone numbers and DuoLingo services-related information regarding 2.6 million users.
How Does the Stolen Data Put Others at Risk?
More than 74 million people worldwide use DuoLingo monthly to learn a foreign language. The giant language learning platform is available from a desktop, Android or iPhone. They even offer a version for schools.
While some of the data are public, the ability of correlating them to non-public data, such as the email address or phone numbers, poses a risk. Threat actors use this kind of data for phishing attacks and online impersonation.
If a company`s employees created their DuoLingo account using their office address, their colleagues are more likely to be targeted in potentially successful phishing campaigns.
According to Verizon`s 2023 Data Breach Investigations Report, Business Email Compromise (BEC) attacks doubled during the past year. At the moment, BEC is responsible for over 50% of social engineering incidents.
Security Measures that Prevent BEC attacks
Although educating employees cybersecurity wise is a must, you should never rely only on your colleagues` ability to spot a phishing email or a fraud in time. Enforce email security measures and multi-factor authentication to protect your digital assets and prevent a Business Email Compromise attack.
Additionally, take the recommended measures to prevent data breaches affecting your organization.