Data of 2.6 million Duolingo users leaked publicly

Duolingo is the world's largest language learning website and app with over 74 million monthly users. According to Bleeping Computer, the leaked personal data of Duolingo users would allow hackers to launch targeted phishing attacks.

In January 2023, an account on a hacker forum sold data collected from 2.6 million Duolingo users for $1,500, and the forum has since been shut down.

This data includes login credentials, real names, and non-public information, including email addresses and internal information related to Duolingo's service. While Duolingo user profiles publicly display real names and login names, email addresses are anonymized.

Duolingo confirmed to TheRecord that the data collected and sold was taken from public records, and that the service is investigating whether to take further precautions. However, Duolingo did not mention that email addresses were also listed in the data.

Data from 2.6 million users was released yesterday on a new version of the hacker forum for just $2.13. The data was collected using an application programming interface (API) that has been publicly shared since March 2023.

This Duolingo API allows anyone to submit a request to retrieve a user's public profile information. However, it is also possible to provide an email address to the API and confirm whether that address is associated with a Duolingo account.

BleepingComputer said the API remained publicly available even after its abuse was reported to Duolingo in January.

It's possible the hacker fed millions of email addresses — likely exposed in previous data breaches — into the API to see if they belonged to Duolingo accounts. These email addresses were then used to create a dataset containing public and non-public information.

Companies tend to discard collected data, as most of it is already public. However, when public data is mixed with private data such as phone numbers and email addresses, it makes the information exposed more risky and potentially violates data protection laws.

In 2021, Facebook suffered a massive data breach after its “Add Friend” API was misused to link phone numbers to the Facebook accounts of 533 million users. The Irish Data Protection Commission (DPC) fined Facebook €265 million ($275.5 million) for causing the breach. A recent bug in Twitter’s API was used to scrape public data and email addresses for millions of users, leading to an investigation by the DPC. Duolingo has yet to explain why it left the API open to everyone after abuse reports were received.