this post was submitted on 23 Aug 2023
548 points (99.1% liked)

Technology

60058 readers
2379 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information.

top 50 comments
sorted by: hot top controversial new old
[–] RanchOnPancakes@lemmy.world 107 points 1 year ago (2 children)

Oh no. Now they know the aliased email address, unique password, and that I didn't try very hard to learn spanish.

(please note: this is a joke, I don't see anything about them getting passwords)

[–] stevedidWHAT@lemmy.world 34 points 1 year ago (14 children)

Something to note here - with AI, if you’re using any sort of heuristic for your password, it’s pretty simple to work out a pretty good set of possibilities which makes brute force even easier and puts you at risk across the board.

Always come up with random passwords that are as random as possible. If there’s a path you took to get to a password, in theory it can be worked backward.

For example I know some people who only change a single letter when changing their passwords which is ultimately trivial to guess if the old password was compromised (hence the need to change the password or the need to proactively work against this possibility)

[–] I_Has_A_Hat@lemmy.ml 45 points 1 year ago (5 children)

I wish more websites allowed random words as passwords instead of forcing numbers and special characters (but not THAT special character, you have to use one of the ones on this list).

People change their passwords by one letter or digit because they're tied to these restrictive formats. If 5-6 random words was the norm, people would update more than just one character when needing to change passwords.

"poison navy series ruler handshake papaya" is a fantastic password.

"Ilovemygrandkids!123" is a horrible password.

[–] hatter@lemmy.world 29 points 1 year ago (1 children)

Just use a password manager and a unique, long, random generated password for every site. There's no need or reason to know the password to anything other than your password manager and your primary email.

[–] deft@ttrpg.network 9 points 1 year ago (1 children)

in like a decade the use of a password manager will be a bad idea. i don't know how but it will be.

[–] demlet@lemmy.world 14 points 1 year ago (2 children)

Hmm, a single point of access for every password you have? I don't see the problem...

[–] SleveMcDichael@programming.dev 21 points 1 year ago* (last edited 1 year ago) (1 children)

The thing is the average person either can't or can't be bothered to remember even a dozen actually secure passwords, so they fall back to a couple of simple derivations of a common password, meaning each and every site a user signs up on represents an additional single point of failure.

load more comments (1 replies)
[–] Chriskmee@lemm.ee 10 points 1 year ago

Lucky until we get actual quantum computing, it's not worth the years on a supercomputer to crack a single stolen set of encrypted passwords.

[–] danwardvs@sh.itjust.works 20 points 1 year ago* (last edited 1 year ago) (1 children)
[–] DragonTypeWyvern@literature.cafe 3 points 1 year ago (2 children)

That's why I use IncorrectBatteryHorseStaple

They'll never figure that one out

load more comments (2 replies)
[–] Anticorp@lemmy.ml 12 points 1 year ago

You immediately know that they're not handling your passwords correctly when they block certain characters.

[–] stevedidWHAT@lemmy.world 5 points 1 year ago

Agreed! I also think that the next steps would be getting rid of the need for users to even know their own password and instead replace with other securities like biometrics (with sufficient permutations possible to match or exceed passwords) and a physical device or something else entirely that removes the need to let the user in on what the exact password is

load more comments (1 replies)
[–] qaz@lemmy.world 4 points 1 year ago (6 children)

That's why I let Bitwarden generate a random 64 character password with special characters and numbers

load more comments (6 replies)
[–] lobut@lemmy.ca 4 points 1 year ago (1 children)

I use a heuristic to update my main passwords. It's not a character but easily guessable if you see it in plaintext and now you've made me facepalm my actions.

I only use that for certain things because I use Google Oauth or Bitwarden for most things and you've just woken me up about what could be exposed.

load more comments (1 replies)
load more comments (11 replies)
load more comments (1 replies)
[–] riodoro1@lemmy.world 56 points 1 year ago (2 children)

Next email from duo: give me your credit card details

[–] reverendsteveii@lemm.ee 9 points 1 year ago

"Mi Numero del Seguridad Social es..."

[–] chulo_sinhatche@lemmy.world 53 points 1 year ago (3 children)

Do the people that release these get paid somehow? Or do they just do it for hacker cred and say fuck these 2.6M people?

[–] Dasnap@lemmy.world 49 points 1 year ago (2 children)

In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500.

...

As first spotted by VX-Underground, the scraped 2.6 million user dataset was released yesterday on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.

"Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!," reads a post on the hacking forum.

[–] Chariotwheel@kbin.social 25 points 1 year ago

HODL, the value will go up again for sure

[–] snorkbubs@fedia.io 23 points 1 year ago

This part is also, ummm, interesting...

BleepingComputer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.

[–] ChaoticNeutralCzech@feddit.de 32 points 1 year ago (2 children)

They’ll send fake emails where the green owl comes to collect “late fees” for your 216-day streak of missed Spanish lessons.

[–] elvith@feddit.de 28 points 1 year ago

We've been trying to reach you about your language course's extended warranty...

[–] ObviouslyNotBanana@lemmy.world 13 points 1 year ago* (last edited 1 year ago) (1 children)

You'll have to pay with Bed Bath and Beyond gift cards.

load more comments (1 replies)
load more comments (1 replies)
[–] SpicaNucifera@lemm.ee 42 points 1 year ago (2 children)

Oh no, not my German and Japanese scores!!!

I guess the email could become a spam target?? Gmail does a good job sorting that for me.

[–] themeatbridge@lemmy.world 30 points 1 year ago

They know your email, your name, and that you've taken German anf Japanese. Next they use that information to craft a phishing email that only the very stupid would fall for, which fools an alarming number of people. Something like "Hi, this is Duolingo suppert, and your billing information may have been comprimised. Log into this portal with your credit card credentials to confirm that you were not affected."

load more comments (1 replies)
[–] ObviouslyNotBanana@lemmy.world 41 points 1 year ago (2 children)

Damn, they'll know I didn't finish that Spanish lesson the bird bothered me about!

[–] CrabAndBroom@lemmy.ml 13 points 1 year ago (4 children)

They'll know I'm ~1800 days into French and still shit at it.

The shame!

[–] JJROKCZ@lemmy.world 4 points 1 year ago (1 children)

Salut! Enchanté, ça va bien?

[–] CrabAndBroom@lemmy.ml 5 points 1 year ago (1 children)
[–] JJROKCZ@lemmy.world 4 points 1 year ago (1 children)
load more comments (1 replies)
load more comments (3 replies)
[–] elbarto777@lemmy.world 8 points 1 year ago (1 children)

I hope they don't fucking send me spam.

[–] art101@lemmy.world 20 points 1 year ago (2 children)

Depending on how far you got, you might not understand it anyway.

[–] teft@startrek.website 7 points 1 year ago* (last edited 1 year ago) (1 children)

Quieres una gran verga? Haz click aquí!!!

[–] ObviouslyNotBanana@lemmy.world 10 points 1 year ago

Mucho dinero en tu futuro! USD$80,000,000,000 Euro!

load more comments (1 replies)
[–] circuitfarmer@lemmy.sdf.org 40 points 1 year ago* (last edited 1 year ago) (1 children)

"Scraped" data suggests that it's data available on public profile pages. However, the article also says the dump is a mix of public and non-public info. So which is it, scraped or not? It's an important distinction, because data collection by scraping is technically not a breach.

[–] ADTJ@feddit.uk 8 points 1 year ago (1 children)

Take this with a pinch of salt but what I'm gathering is that it's essentially just taking people's public profiles but the Duolingo api also exposes users' e-mail addresses (and possibly other info) that isn't normally displayed as part of the user's public profile via their app.

In essence, they're exposing more data than they probably should be and users were not really aware that data was being made public - that's why people are upset about it.

[–] circuitfarmer@lemmy.sdf.org 5 points 1 year ago

Ok, this makes sense -- in which case the API should not be exposing data that isn't otherwise available on the public profile, so that is significant.

[–] expatriado@lemmy.world 24 points 1 year ago

estamos jodidos señor búo

[–] Extrasvhx9he@lemmy.today 15 points 1 year ago

I pray for whoever pisses off the duolingo bird

[–] PlexSheep@feddit.de 11 points 1 year ago (1 children)

Is there a list on what data exactly got leaked, that wasn't public before?

[–] ansik@kbin.social 26 points 1 year ago* (last edited 1 year ago) (1 children)

However, Duolingo did not address the fact that email addresses were also listed in the data, which is not public information.

From the Article, emphasis by me

[–] DragonTypeWyvern@literature.cafe 11 points 1 year ago* (last edited 1 year ago)

Rip my email I use specifically for organizations I don't trust

[–] Destragras@kbin.social 11 points 1 year ago (4 children)

How is that API still up after this has happened?

load more comments (4 replies)
[–] z4x15@lemmy.world 8 points 1 year ago (1 children)

I'm so glad I switched to duck email. Might as well changes it again and block the old email.

[–] Unsustainable@lemmy.today 5 points 1 year ago (6 children)

DDG email is AMAZING! I only wish it would have been around before my email got exposed.

[–] fox@unilem.org 4 points 1 year ago (5 children)

Only one thing to do... Start over fresh.

I just did this a few months ago, and it feels really good to have a proper set-up now, with privacy respecting companies all around.

load more comments (5 replies)
load more comments (5 replies)
load more comments
view more: next ›