Duolingo is a popular language-learning app and site with more than 74 million monthly active users. The company recently suffered a data leak resulting in the exposure of more than 2.6 million users’ e-mail addresses and other information. Here’s what you need to know.
In this article:
In January 2023, a hacking forum user claimed to have the e-mail addresses of 2.6 million users of the service and was selling the list for $1500 or best offer.
The DuoLingo database (scraped) has been listed for sale in a hacker's forum. According to the user, the claimed data contains 2.6 million account entries.#databreach #cyberrisk pic.twitter.com/7jttRnncpM
— FalconFeedsio (@FalconFeedsio) January 24, 2023
Other leaked data associated with those e-mail addresses, too. This appeared to include users’ real name, username, account avatar, bio, and native language. The data also indicated which e-mail addresses were verified, and whether Facebook or Google accounts were connected.
Thankfully, the leak did not contain user passwords.
On the same day as the leaked data was posted, security news site The Record contacted Duolingo. The company responded:
“These records were obtained by data scraping public profile information…
“No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.”
On August 21, the X (Twitter) account of vx-underground, a popular malware repository, posted about the breach on August 21. The post stated that the Duolingo account information was obtained through “a bug in the Duolingo API.”
A follower responded that the so-called API bug was actually a known flaw; anyone can find out such details about any Duolingo user, simply by knowing their registered e-mail address and querying the site.
It's not new, everybody can find a duolingo account with just an email. Check out https://t.co/KERoep3z6z
— BO̳̳̳̳̳̳̳̳̳̳uddah
⃤In Holliday (@bouddddddddddda) August 21, 2023
Presumably, that’s how the leaker obtained data about 2.6 million accounts in the first place. Quite likely, the leaker sent millions of queries about known e-mail addresses to Duolingo, and Duolingo’s servers responded with data whenever there was a match.
According to security news site BleepingComputer, vx-underground had encountered the same data mentioned in the January leak, now fully exposed—not behind a paywall—on another hacking forum.
On August 22, BleepingComputer confirmed that the API was still subject to the same scraping attacks that were exploited to obtain the leaked data back in January. The news site said that it had contacted Duolingo asking why the API was still exposed, but had not yet received a response from the company.
Finally, on August 23, popular data leak information site Have I Been Pwned added the more than 2.6 million e-mail addresses to its database. Anyone who wishes to find out whether their e-mail address was exposed in the Duolingo leak—or any of 700 other data leaks or breaches—can simply search for their address at haveibeenpwned.com.
Unfortunately, companies often expose user data, and often it isn’t treated as a serious matter.
One way that users can avoid exposing their information in such leaks is to use a unique e-mail address for each service.
Thankfully, that’s not as inconvenient as it may sound; you don’t need to register multiple e-mail accounts and check each and every one separately. There are at least two major services that offer anonymous e-mail forwarding.
The first is Hide My Email, included with Apple’s iCloud+ service; it starts at $0.99 per month, and is integrated with iOS and macOS. The second is DuckDuckGo Email Protection, which is a bit more complicated to use, but is free. Check out our comprehensive comparison of Hide My Email and DuckDuckGo Email Protection.
Which Is Better: Apple’s Hide My Email or DuckDuckGo Email Protection?
We discussed these e-mail privacy services on episode 255 of the Intego Mac Podcast.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
