Data from 2.6 million Duolingo users is now accessible on the cybercrime marketplace, BreachForums. The information, initially on sale since January, contains users’ email addresses, usernames, phone numbers (if provided), and other details, including their language study progress.

Woman shrugging
✅ AI Essay Writer ✅ AI Detector ✅ Plagchecker ✅ Paraphraser
✅ Summarizer ✅ Citation Generator

Key Takeaways:

  • Data from 2.6 million Duolingo users has been exposed on BreachForums, containing details like email addresses and language study progress.
  • A vulnerability in Duolingo’s Open API allows potential data scraping, including user locations and public avatars.
  • Duolingo asserts that the exposed data was obtained by scraping public profiles, with no indication of their systems being compromised.

Research from Vx-underground indicates a Threat Actor identified a bug in Duolingo’s Open API, which upon receiving a valid email, returns generic account details. Experts warn that this exposed data could be used for doxxing—a cyber tactic to reveal and publicize a user’s private information—raising concerns over potential targeted phishing attacks.

Cybernews further found that Duolingo’s data is still ripe for scraping, indicating a potential risk of hackers accessing more data like user locations and public avatars. The vulnerability arises from Duolingo’s openly accessible application programming interface (API). Several Twitter users, including Ivano Somaini, have mentioned the public availability of this API as early as March.

Responding to these revelations, a Duolingo spokesperson stated that the records were obtained by scraping public profiles, and there’s no evidence of a system compromise. The spokesperson clarified, “The API involved was designed to help users find friends on Duolingo. Users can opt for private profiles to avoid public searches.”

Data of 2.6 Million Duolingo Users is up for Sale by Hackers
Data of 2.6 Million Duolingo Users is up for Sale by Hackers

Notably, Duolingo, boasting over 500 million registered users, emphasized that the email addresses linked to this incident were sourced from other sites and not directly from their platform.

For context, Duolingo, a leading language learning app established in 2011 by Luis von Ahn and Severin Hacker, now has a massive user base of over 60 million active users monthly.


Opt out or Contact us anytime. See our Privacy Notice

Follow us on Reddit for more insights and updates.

Comments (0)

Welcome to A*Help comments!

We’re all about debate and discussion at A*Help.

We value the diverse opinions of users, so you may find points of view that you don’t agree with. And that’s cool. However, there are certain things we’re not OK with: attempts to manipulate our data in any way, for example, or the posting of discriminative, offensive, hateful, or disparaging material.

Your email address will not be published. Required fields are marked *


Register | Lost your password?