Users of language-learning site Duolingo have a painful lesson to review right now—once your personal data is out on the web, there’s no taking it back. Worse still, the more you’ve shared about yourself, the more you have to be wary of targeted phishing attacks.
According to Bleeping Computer, about 2.6 million accounts are directly affected. Public and private data was scraped from them through an exposed application programming interface (API), and then offered on a hacking forum back in January. Login and real names, email addresses, phone numbers, and courses studied were part of the collection, which went for $1,500. Now that data has resurfaced on a different forum, and at a substantially lower cost of just a few dollars.
The API that yielded these user details is also still publicly available. Username queries will retrieve public profile details, while submitting an email address (like obtained through another data breach or scraped data collection) reveals private data like profile images, location, and if a Facebook or Google account was linked, as researchers discovered. All together, these pieces of data can help scammers and hackers craft more tailored phishing attempts.
Bleeping Computer
Bleeping Computer
Bleeping Computer
Unfortunately, Duolingo users can’t expect much protection from the service. When this data first appeared, the company characterized the lost data as “public profile information” in a statement to The Record. It also has yet to answer Bleeping Computer’s recent questions about why the API is still publicly available.
So what can you do? First and foremost, keep up with your normal online security practices. In particular, avoid opening email from unfamiliar senders as much as possible, and especially don’t click on links or download files from them. (Same goes for text messages.) Use unique, strong passwords for every website and app, too, and store them in a secure password manager.
You can also anonymize your profiles online. Remove your real name, disconnect your Google and Facebook accounts, and upload a generic avatar image. Consider using a masked email address (or at least, a second email address meant just for fun services and email lists) as well. It can make telling apart real email from phishing attempts a little easier.
Author: Alaina Yee, Senior Editor, PCWorld
A 14-year veteran of technology and video games journalism, Alaina Yee covers a variety of topics for PCWorld. Since joining the team in 2016, she’s written about CPUs, Windows, PC building, Chrome, Raspberry Pi, and much more—while also serving as PCWorld’s resident bargain hunter (#slickdeals). Currently her focus is on security, helping people understand how best to protect themselves online. Her work has previously appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine.