Data of 2.6 Million Duolingo Users Leaked on Hacking Forum


source:  |  image:


Data from 2.6 million users of Duolingo, a language learning platform with over 74 million monthly users, has been leaked on a hacking forum.

The compromised data, which includes real names, login names, email addresses and internal service-related details, was initially offered for sale on the now defunct Breached hacking forum in January 2023 for $1500. 

Despite Duolingo’s confirmation to The Record that the data was sourced from publicly available profiles, the leaked email addresses are particularly alarming as they are not public information and can facilitate targeted phishing attempts.

“We’re aware of this report. These records were obtained by data scraping public profile information. We have no indication that our systems were compromised. We take data privacy and security seriously and are continuing to investigate this matter to determine if any further action is needed to protect our learners,” a spokesperson from the company confirmed to Infosecurity in an email. 

“This is yet another example of why every online service should take proactive security measures to prevent mass data scraping,” commented Roger Grimes, data-driven defense evangelist at KnowBe4.

“The ability of a scammer to link someone’s service, in this case Duolingo, to their email address and name will allow more realistic phishing attempts. More people will fall for those scams than they otherwise would.”

The scraped dataset was brought to light by VX-Underground on the social media platform X on Monday, and it was made available on a new version of the Breached hacking forum. The cost of accessing this dataset was set at eight site credits, which is just $2.13.

The breach reportedly originated from an exposed application programming interface (API), discovered in March 2023, that enables the retrieval of user profile information. This API inadvertently permitted unauthorized access to email addresses associated with Duolingo accounts. 

Despite the potential consequences of the breach, Duolingo has not commented on why the API remains accessible even after abuse was reported earlier in the year. 

“This incident underscores that not all attacks on digital resources involve traditional hacking techniques,” explained Jason Kent, hacker in residence at Cequence Security.

“Instead, attackers are increasingly focused on manipulating the functionalities of web apps, mobile apps, and APIs using automated tools like bots.”

Also commenting on the breach, George McGregor, VP at Approov, criticized Duolingo for its apparent negligence, highlighting several concerning aspects. McGregor outlined the problems, including the API’s tendency to provide public profile data solely based on a username, lacking additional verification measures. 

He also pointed out that automated scraping was enabled due to the API not having backend checks to ensure requests originated from legitimate apps. Furthermore, he revealed that the problem had been identified before but had not been rectified, raising questions about the company’s handling of security issues.

“A good mobile security solution can be used to address these issues and restrict API access to properly validated app instances,” McGregor concluded.

As phishing attacks become increasingly sophisticated, users are advised to remain vigilant against unsolicited communications and to verify the legitimacy of requests for sensitive information.