Users of language-learning site Duolingo have a painful lesson to review right now—once your personal data is out on the web, there’s no taking it back. Worse still, the more you’ve shared about yourself, the more you have to be wary of targeted phishing attacks.
According to Bleeping Computer, about 2.6 million accounts are directly affected. Public and private data was scraped from them through an exposed application programming interface (API), and then offered on a hacking forum back in January. Login and real names, email addresses, phone numbers, and courses studied were part of the collection, which went for $1,500. Now that data has resurfaced on a different forum, and at a substantially lower cost of just a few dollars.
The API that yielded these user details is also still publicly available. Username queries will retrieve public profile details, while submitting an email address (like obtained through another data breach or scraped data collection) reveals private data like profile images, location, and if a Facebook or Google account was linked, as researchers discovered. All together, these pieces of data can help scammers and hackers craft more tailored phishing attempts.
Unfortunately, Duolingo users can’t expect much protection from the service. When this data first appeared, the company characterized the lost data as “public profile information” in a statement to The Record. It also has yet to answer Bleeping Computer’s recent questions about why the API is still publicly available.
So what can you do? First and foremost, keep up with your normal online security practices. In particular, avoid opening email from unfamiliar senders as much as possible, and especially don’t click on links or download files from them. (Same goes for text messages.) Use unique, strong passwords for every website and app, too, and store them in a secure password manager.
You can also anonymize your profiles online. Remove your real name, disconnect your Google and Facebook accounts, and upload a generic avatar image. Consider using a masked email address (or at least, a second email address meant just for fun services and email lists) as well. It can make telling apart real email from phishing attempts a little easier.
Alaina Yee is PCWorld's resident bargain hunter—when she's not covering software, PC building, and more, she's scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.