“2.6 million DuoLingo account entries” up for sale

Not a week goes by where we don’t see an example of data scraping causing concern for both business and folks at home. The latest target happens to be popular language platform DuoLingo, who is currently digging into a forum post concerning data related to its customer accounts.

Scraping data for fun and profit, but mostly profit

From the forum post, titled “DuoLingo 2.6 million entries scrape”:

I am selling 2.6 million DuoLingo account entries that were scraped from an exposed API. Starting price is $1,500 USD, but the price can be negotiated.

The post claims to offer many pieces of information, including:

  • Phone numbers
  • Emails
  • Courses taken

Your big deal is someone else’s tiny hiccup

This all sounds very bad at first glance, but as with many data scraping incidents, a lot of it is heavily dependent on what kind of data has been obtained. Is it a collection of supposedly secret things, or is it information which is (or was) intentionally publicly available? If it’s “only” available via a supposedly exposed API, is it catastrophic for the users if their language or achievements are revealed to the world?

The aggravatingly on-the-fence answer to this is often “it depends”. Your threat model is not that of someone else’s, and we simply can’t predict how much of a big deal something which supposedly isn’t, is. Even though DuoLingo has stated that this is not the result of a breach or hack, and that the records were obtained by “data scraping public information”, this may be scant consolation to those affected.

Our advice: don’t panic, but keep an eye on the situation

DuoLingo has been a target for scammers and others up to no good for a long time, as tends to befall the biggest names out there in their respective fields of expertise. Just last year, fake “premium subscriptions” to DuoLingo services were used as the hook for a phishing scam.

For now, if you’re a DuoLingo user, there’s not a lot you can do except wait for more information on this data scraping incident to be published. In theory, this may not be a huge concern but again: threat models. If you’re particularly worried, the best thing to do would be to contact DuoLingo customer support and see if there’s any more details they can give.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.