Data of 2.6 Million Duolingo Users Exposed on the Dark Web

Reading Time: 4 min Read
4 min

Image by Shutterstock.




In today’s interconnected world, where data drives decisions and shapes experiences, its security becomes the bedrock of digital trust.


Yet, even the giants of the tech world, with their vast resources and expertise, sometimes find themselves grappling with unforeseen cybersecurity challenges.


One such giant, Duolingo, recently found itself amidst a whirlwind of concerns related to data exposure.


Duolingo, for those unfamiliar, is not just another app on your smartphone. It’s a global phenomenon in the realm of language learning.


Founded in 2011, Duolingo has revolutionized the way people approach language acquisition. With its gamified lessons, user-friendly interface, and a vast array of languages to choose from, it has become the go-to platform for millions seeking to break language barriers.


As of 2023, the platform boasts over 500 million registered users, with a monthly active user base exceeding 60 million. Offering 98 courses across nearly 40 distinct languages, Duolingo’s impact on language education is undeniable. Its accolades are not just limited to user numbers; the platform has received numerous awards and recognition for its innovative approach to education. However, with great success comes great responsibility, especially in the realm of user data protection. The recent incident surrounding Duolingo is a testament to the challenges even the most established tech entities face in the ever-evolving cybersecurity landscape. This in-depth analysis aims to shed light on the Duolingo data exposure incident, exploring its intricacies, implications, and the lessons it offers for both organizations and individual users.


What We Know?


    • Magnitude of Exposure: Data pertaining to over 2.6 million Duolingo users was made available on a dark web hacking forum.
    • Nature of Data: The exposed dataset encompasses a wide array of user details, including names, usernames, email addresses, phone numbers (if provided), social network information, language studies, experience, progress, and achievements.
  • Data Source: The data was allegedly procured by exploiting an open application planning interface (API). This API, known to the public since March 2023, facilitates the retrieval of public information from any Duolingo profile using the associated username.
  • Official Stance: Duolingo has confirmed that the data was sourced from public profile information. They have categorically stated that the incident did not stem from a data breach or hack and are actively addressing the situation


What Happened?


The incident came to light when a malicious actor attempted to sell the scraped data of 2.6 million Duolingo users on the Breached hacking forum in January 2023, with a price tag of $1,500.


This dataset amalgamated both public and private user information. The data was subsequently made available on another cybercrime marketplace, BreachForums, for a mere 8 site credits, translating to just $2.13.


This move essentially rendered the data virtually free for malicious entities.


The root of this data exposure can be traced back to an openly accessible API.


This API, known to the public since at least March 2023, allowed anyone to input a username and receive detailed public profile information in a JSON format. More alarmingly, the API permitted the input of an email address to verify its association with a valid Duolingo account.


This loophole enabled threat actors to input vast numbers of email addresses, potentially sourced from previous data breaches, into the API to determine their linkage to Duolingo accounts.


The amalgamation of public and private data was then compiled into the dataset that was subsequently put up for sale.


What Can You Do to Protect Yourself?


  1. Update Passwords: All Duolingo users are advised to change their passwords immediately. Regularly updating passwords is a fundamental cybersecurity practice.
  2. Activate Two-Factor Authentication (2FA): Duolingo offers 2FA, and users should enable it. 2FA provides an added layer of security, ensuring that account access requires a secondary verification method, even if the password is compromised.
  3. Stay Vigilant Against Phishing: With email addresses exposed, users should be highly alert for phishing attempts. Constantly scrutinize the sender’s email address and avoid clicking on dubious links.
  4. Stay Updated: Regularly check official channels or trusted news sources for updates on the situation. Companies often provide guidance to affected users.
  5. Review Privacy Settings: Periodically review the privacy settings of your Duolingo account (and other online accounts) to ensure you’re only sharing information you’re comfortable with.


Join Thousands of Weekly Readers

Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.

This field is for validation purposes and should be left unchanged.


Key Insights


  • API Security is Paramount: The Duolingo incident highlights the critical importance of securing APIs. Even if they provide access to public data, they can be exploited for malicious purposes.
  • The Significance of Prompt Action: Despite being alerted about the open API in January 2023, Duolingo’s delay in addressing it underscores the importance of timely action when vulnerabilities are identified.
  • The Gravity of Data Scraping: While data scraping might seem benign, especially if the data is public, the combination of public and private data can have severe repercussions. As witnessed in the Duolingo incident, the amalgamation of public profile details with private information like email addresses can be exploited for malicious activities.
  • Historical Precedents: Data scraping isn’t a new phenomenon. In one of the most infamous data scraping incidents, Facebook was slapped with a $276 million fine for a data leak in the EU. Such incidents highlight the legal and financial implications of data breaches and the importance of safeguarding user data.




The Duolingo incident serves as a stark reminder of the vulnerabilities that exist in the digital realm. It emphasizes the importance of continuous vigilance, regular security audits, and prompt action for organizations. For users, it underscores the need to stay informed, practice good cybersecurity hygiene, and protect personal data proactively. In the digital age, security is a shared responsibility, and together, we can foster a safer online ecosystem.

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Insights

Join Thousands of weekly reader

Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.

This field is for validation purposes and should be left unchanged.