Emails from the Duolingo owl are usually an annoyance at worst. But cybercriminals now have their hands on your email address and Duolingo data, so can send you highly targeted emails to lure you into phishing traps.
Here’s why you can’t trust emails from Duolingo anymore.
How Did Attackers Get Your Information From Duolingo?
Believe it or not, most of your Duolingo data is available to anyone with a passing interest and some time on their hands. You can see basic profile data such as username, profile images, and languages being studied by visiting https://www.duolingo.com/profile/[username]—the username is the profile of whoever you’re interested in.
If you have a couple of hours to kill, you can investigate a few dozen profiles, check if the usernames are used elsewhere or even run a reverse image search on the profile pic and see where else it appears on the internet.
It’s a fun way to pass the time, but inefficient if your goal is to gather massive amounts of data, and it’s fairly simple to build an application that will scrape data from websites for you.
Using a platform’s own Application Programming Interface (API), it’s even easier to gather massive amounts of public data from platforms such as Facebook, Twitter, LinkedIn, or Duolingo.
In January 2023, The Record reported that the hackers had used Duolingo’s API to scrape the public data of 2.6 million users, and had posted the data for sale on the now-defunct breached.to forum.
While Duolingo acknowledged that the data was valid, the company insisted that it was publicly available profile data and that no hack or data breach had occurred.
On August 22, 2023, malware marketplace VX-Underground revealed on X (the platform formerly known as Twitter) that this scraped data also contained user email addresses, and that it could and had been used to obtain further information including name, and phone number.
How Can the Duolingo Data Be Used Against You?
Emails from Duolingo are so common that they’ve become a staple meme. If you miss a day’s Esperanto practice, Duolingo’s owl mascot, Duo, will appear in your inbox to tell you that he’s sad.
Vaguely menacing emails appear soon after, along with emails telling you your streak has been frozen, then broken, and that you’re slipping down the leaderboards, then exhortations to take a three-minute lesson.
Each email will contain information about your recent language-learning activities, and provide a handy link for you to log into the site.
Now your name, Duolingo information, and activity are in the hands of potential criminals, it’s trivially easy to automatically craft phishing emails that will persuade you to click on the link.
We consider it likely that the link will ask you to log in—providing attackers with your password, too.
Scam emails can appear even more authentic if attackers take advantage of the many Duolingo domains available. Would you trust an email from duolingo.live, duolingo.tech, duolingo.world, or duolingo.life? All are currently available for under $10, while the slightly more compelling duolingo.club can be had for the comparatively steep price-tag of around $600 (at the time of writing).
With your email address and password, criminals can start to attack your other online accounts.
How to Protect Yourself From Duolingo Phishing Scams
If you’re worried that your data may be included in the 2.6 million entry dataset, the first thing you should do is head over to haveibeenpwned, and enter your email address. If it’s there, you’ll see the breaches in which your data was exposed.
Next, you should unsubscribe from all Duolingo emails. They’re irritating anyway, and if any do make it into your inbox, you’ll know that they’re from scammers. Do this using an historical, truthworthy message from the service though, as even unsubscribe buttons can be scams!
It’s always a good idea to create a separate password for each service you use. This way, if your password is compromised in a data breach, or you accidentally reveal it in a phishing attack, it can’t be used on any of your other accounts.
If you can, use a unique email address for each website or app, too. It’s easy to disguise your email address, and will prevent it from being passed around for use in other scams or spam campaigns. We’d recommend simple catch-all email forwarding for this.
Duolingo Isn’t the Only Way to Learn a New Language
If you’re unhappy with the way Duolingo made your public and private data available through its own API, or maybe you’re frustrated at its didactic tactics and pedagogical pedantry, you may be considering abandoning Duo for good.
Leaving Duolingo doesn’t mean that you have to surrender your studies, and there are plenty of superb sites that can help lighten the load of learning languages online.