A hacker claims to have leaked the data of 2.6 million Duolingo users on one of the hacker forums on the deep web, posting the data of 1,000 customers.
Most notably, the leaked data included the users’ names, personal photos, phone numbers, languages they study, and courses.
The data was first offered for sale in January 2023, before being offered again yesterday.
After the first presentation, Duolingo confirmed that the displayed data is real and that it is public data that can be obtained from user accounts, but it did not address the fact that email addresses and phone numbers are not public data.
After a leak, there are several steps users can take to protect themselves:
- Password Change: Change their passwords immediately. Passwords must be strong and complex, including uppercase and lowercase letters, numbers, and special symbols. It is preferable to use unique passwords for each account.
- Enable Two-Factor Authentication/Two-Step Verification: Enable multifactor authentication if available in the Duolingo app. This feature adds an extra layer of security with login requirements such as codes sent over the phone or app.
- Review the privacy settings of their account and ensure that the data displayed on the profile or public is restricted.
- Phishing Beware: Avoid clicking on links in email or text messages that could be phishing.
- Monitoring bank and financial accounts in the event that there is financial information related to leaked accounts.
- Update the application to the latest available version. The update may contain important security fixes.
- Avoid sharing sensitive information on social media or other platforms.
- Review accounts connected to Duolingo and disconnect any unknown or spam accounts.
