Duolingo is the world's largest language learning website and app, with over 74 million monthly users. According to Bleeping Computer, the leak of Duolingo users' personal data could allow hackers to carry out targeted phishing attacks.
In January 2023, an account on a hacker forum sold data collected from 2.6 million Duolingo users for $1,500; the forum has since ceased operations.
This data includes login information, real names, as well as non-public information, including email addresses and internal information related to Duolingo's service. While Duolingo user profiles publicly display real names and login names, email addresses are kept private.
The advertisement offered to sell 2.6 million Duolingo user data records for $1,500.
Duolingo confirmed to TheRecord that the data collected and sold was taken from public profiles, and the service is investigating whether it should take preventative measures. However, Duolingo did not mention the fact that email addresses were also listed in the data.
Data from 2.6 million users was released yesterday on a new version of the hacker forum for just $2.13. This data was collected using a publicly shared application programming interface (API) since March 2023.
This Duolingo API allows people to submit access to users' public profile information. However, it's also possible to provide an email address to the API and verify whether that address is linked to a Duolingo account.
BleepingComputer stated that this API remained publicly available even after its misuse was reported to Duolingo in January.
It's conceivable that the hacker fed millions of email addresses—possibly leaked in previous data breaches—into the API to see if they belonged to Duolingo accounts. These email addresses were then used to create a dataset containing both public and non-public information.
Hackers re-uploaded the data of 2.6 million Duolingo users for a very low price.
Companies tend to discard collected data, as most of it is already publicly available. However, when publicly available data is mixed with private data such as phone numbers and email addresses, it makes the information leak more risky and potentially violates data protection laws.
In 2021, Facebook suffered a massive data leak after its "Add Friend" API was misused to link phone numbers to the Facebook accounts of 533 million users. The Irish Data Protection Commission (DPC) fined Facebook €265 million ($275.5 million) for causing this data leak. More recently, a flaw in Twitter's API was used to access publicly available data and email addresses of millions of users, leading to a DPC investigation. Duolingo has yet to explain why it left this API publicly accessible despite reports of misuse.
Source link
![[Photo] Prime Minister Le Minh Hung presides over the thematic session on promoting science and technology development and innovation.](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2026/06/23/1782207872934_ndo_br_dsc-1724-jpg.webp)
