Phishing risk for Duolinguo users

Security Awareness
18 September 2023
Duolingo Phishing

Learning languages, yes, but watch out for the pitfalls

Today, in order to move around and work in the world, it is almost mandatory to learn other languages in addition to one’s mother tongue.

Until a few years ago, this was considered an investment in oneself.
A challenging, and also an expensive, path. It was necessary to participate in recognised courses, perhaps attend a school in person, often planning stays abroad. In short, investing a lot of time and money.
Today, everything is much simpler: the web is teeming with both teachers and programmes or applications that, with relatively little effort, promise easy, fast and inexpensive learning.

Among these applications, one of the best-known and most used is Duolinguo, one of the world’s largest sites for learning languages, with over 74 million global monthly users.

The first beta version of Duolingo dates back to 30 November 2011, and before the launch, it had already accumulated a waiting list of more than 300 thousand users.
The site was launched to the public in June 2012 and as of January 2014 it had 25 million users, of which about 12.5 million were active users. In 2013, Apple chose Duolingo as its “iPhone app of the year”, making it the first educational app to be awarded this type of recognition. In short, a perfect idea and method right from the start.

Too bad, however, that cracks have started to appear in the reliability of the well-known application following a recent data leak. Earlier this year, hackers obtained the names and email addresses of 2.6 million users of the app and are now selling the entire dataset on underground forums for about $2.13 , thus enabling other criminals to conduct targeted phishing attacks using users’ names and email addresses.

At the same time, hackers can trick victims into clicking, by impersonating Duolingo in their messages.
The goal is both to steal money and use targeted phishing emails to trick Duolingo users into installing malware on their devices or providing their credentials or bank details, through the payment service called Super Duolingo.

This data was collected using an exposed API (application programming interface) that has been published since at least March 2023.

This API allows anyone to enter a username and output a JSON containing the public information of the user profile entered. In addition, you can also enter an email address in the API and check if it is associated with a valid Duolingo account.

The point is that it seems that this API is still available to anyone on the web, even after its abuse was reported to Duolingo in January.

In short, the problem does not seem to have been solved. So, for now, users, waiting for Duolinguo to take definitive measures, all that remains is to be very careful not to fall into the spider’s web.

The suggestions are always the same:

  • read any incoming emails very carefully,
  • check if the sender’s address is the legitimate one,
  • check that there are no grammar mistakes or inaccurate words,
  • do not react emotionally to an alarmist email that may threaten some expiration or loss of the account and, above all,
  • avoid clicking on any links that arouse suspicion and downloading attachments!

The dangers on the web are increasingly present and treacherous.
The only path that certainly protects us from bad problems is that of quality training that not only provides all the knowledge to avoid falling into the – now numerous – traps set by hackers but allows us to always be “on the ball” without being caught off guard.
Because this last factor is the hackers’ favourite weapon.


Related Articles