More than 7,000 Singapore Duolingo users’ e-mails found in leaked database, Latest Singapore News - The New Paper

More than 7,000 Singapore Duolingo users’ e-mails found in leaked database

Thousands of Singapore Duolingo users have had their e-mail addresses leaked, after the data of almost 2.7 million users of the popular language learning platform were put up on several hacking forums.

Besides e-mail addresses, the leaked data also indicated if a user had linked their Facebook account to their Duolingo account, as well as the languages they were learning.

The Straits Times was able to get hold of the database from one of the hacking forums, which redirected to a Telegram channel that the public could easily access.

The 1.6GB database was too large for Microsoft Excel to process, and the information was cut off at the 1,048,575th entry. The remaining entries could not be opened.

In the entries shown, 1,510 accounts belonged to users in Singapore, although many other users did not indicate their country of origin.

ST has contacted Duolingo for more information.

The United States-headquartered company has more than 45 million monthly users, who can learn over 40 languages on its app through stories, quizzes and other features, according to its website.

A report published by Netherlands-based cyber-security firm Surfshark on Tuesday said American users were the hardest hit, with about 967,000 accounts compromised, out of the 2,676,690 affected accounts.

In its analysis, the firm revealed that 47,852 Singapore Duolingo accounts were part of the database. More than 7,000 of them had their e-mail addresses put up.

The leaked e-mail addresses are concerning as they can be used in phishing attacks.

Technology website TechRadar reported on Aug 23 that the data was compromised in January.

It was initially put up for sale on a hacker’s forum for US$1,500 (S$2,025), with Duolingo issuing a statement then that the data was scraped from public profile information.

“No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners,” a spokesman had told The Record – a news outlet focusing on cyber security – on Jan 24.

Cautioning affected users to beware of phishing e-mails, the Surfshark report said: “People affected might receive personalised phishing e-mails, such as offering affordable courses related to the language they have been studying on Duolingo.

“This could be done using leaked names and origin countries, resulting in highly customised e-mails, possibly even in their own native languages.”

In 2022, phishing became an increasingly common phenomenon in Singapore, with 8,500 reported cases, according to the Cyber Security Agency (CSA).

This was more than double the number of reported cases in 2021 – when there were 3,100.

Fraudsters tended to spoof banking and financial services in most of their attempts, as well as government and logistics-related services, including online shopping deliveries.