Duolingo Data Breach: 2.6 Million Users At Risk Of Targeted Phishing Attacks

By   ISBuzz Team
Writer , Information Security Buzz | Aug 24, 2023 04:55 am PST

In a startling revelation, the personal information of over 2.6 million Duolingo users has been compromised and posted on a hacking forum. The breach has led to the unauthorized scraping of sensitive user data, including usernames, email addresses, and potentially hashed passwords.

The popular language learning app Duolingo, boasting over 74 million monthly users, has now become the target of cybercriminals. The details of the Duolingo data breach were exposed on the dark web, with user FalconFeedsio sharing a screenshot of a user attempting to sell the compromised information.

Information Leaked on the Dark Web

The stolen data was posted on a prominent hacking forum on August 22 by a malicious actor who offered the 2.6 million records for $1,500. The cybercriminal claims to have gained access to the data by scraping and exploiting an exposed application interface (API). A sample from 1,000 accounts was offered to confirm the data’s legitimacy.

Risks to Affected Users

This exposure raises serious concerns, as the leaked information can be misused for malicious activities such as targeted phishing attacks and identity theft. With email addresses in the wrong hands, users might receive deceptive messages designed to steal further personal information or spread malware.

Duolingo Responds to the Incident

According to The Record, Duolingo has acknowledged the breach and is actively investigating. A spokesperson clarified that the records were obtained by scraping public profile information. The exposed API, still open despite being public knowledge since March 2023, allows anyone to retrieve public information from Duolingo profiles by inputting usernames.

Stay Safe from Phishing Scams

For Duolingo users concerned about falling victim to phishing, careful examination of incoming emails is essential. Look for legitimate email addresses, watch for misspelled words, and avoid clicking on any suspicious links or attachments. Installing the best antivirus software can also provide additional protection.


Learning a new language is challenging, and Duolingo has made this easier for millions worldwide. However, this incident puts 2.6 million of those users at risk. The breach serves as a reminder of the importance of cyber security and the need for users to remain vigilant. Duolingo’s commitment to investigating the matter and ensuring data privacy is commendable, but users must remain cautious as their names and email addresses may already be in the hands of hackers.

Keep an eye on our information security news updates as we continue to monitor how Duolingo responds to this incident.

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Gil Dabah
Gil Dabah , Co-founder and CEO
August 28, 2023 2:39 pm

As cyber threats evolve, businesses have remained primarily focused on perimeter security, often overlooking potential vulnerabilities within their application APIs. Duolingo’s recent data leak incident underscores this oversight. The root of such vulnerabilities often lies in software coding—specifically, the absence of stringent access checks crucial for safeguarding user privacy. This isn’t a new concern. In fact, the Open Web Application Security Project (OWASP) has long cautioned against such issues. Yet, as the Duolingo incident illustrates, even major companies can sometimes neglect these warnings. The good news is that solutions already exist. Tools that enforce rigorous access controls at both the data and code levels. Implementing these solutions isn’t just about technical upgrades; it’s about fostering a heightened awareness of evolving cyber threats and being proactive in defense.

Last edited 7 months ago by Gil Dabah
George McGregor
George McGregor , VP of Marketing
August 24, 2023 1:36 pm

“This unfortunately makes Duolingo look extremely negligent for a number of reasons 

  “Lets list out some of the issues:

  • The API returning public profile data based on a username without any other checks
  • automated scraping was possible because scripts can be run against the API: in other words no backend check that requests are coming from a genuine app
  • The issue had actually been previously identified but not addressed

  “A good mobile security solution can be used to address these issues and restrict API access to properly validated app instances.”

Last edited 7 months ago by George McGregor
Max Gannon
Max Gannon , Senior Cyber Threat Intelligence Analyst
August 24, 2023 1:35 pm

The scraped data doesn’t have much value outside of targeted attacks where the attacker spoofs DuoLingo, this is demonstrated by the fact that the dump is now only worth $2.13. The only mitigation steps that can be taken are for users of DuoLingo to be particularly suspicious of potentially spoofed communications.

Last edited 7 months ago by Max Gannon
Jason Kent
Jason Kent , Hacker in Residence
August 24, 2023 1:20 pm

The Duolingo data breach highlights the vulnerabilities posed by poorly secured APIs and the potential for business logic abuse by threat actors. In this case, the breach was not a result of traditional hacking methods but rather the exploitation of an exposed API that had been openly shared since at least March 2023. Threat actors leveraged content scraping to obtain sensitive user data, which they subsequently leaked on a hacking forum. This exposed information enables threat actors to execute targeted phishing attacks and could lead to more severe consequences, such as intellectual property loss, increased IT costs, and potential customer attrition due to a compromised user experience. 

This incident underscores that not all attacks on digital resources involve traditional hacking techniques. Instead, attackers are increasingly focused on manipulating the functionalities of web apps, mobile apps, and APIs using automated tools like bots.

To mitigate the risks posed by content scraping attacks, organizations must adopt robust security measures encompassing traditional cybersecurity practices and newer strategies to defend against business logic abuse. Ensuring API security, conducting regular security audits, implementing access controls, and staying informed about emerging threats are vital steps to protect valuable user data and uphold customer trust.

Last edited 7 months ago by Jason Kent
Steven Wood
Steven Wood , EMEA Director
August 24, 2023 1:02 pm

The Duolingo data leak is a vital reminder to businesses in possession of personal data to make sure their cyber defences are robust. Once sensitive information is exposed, like it has been for the 2.6 million users in this case, it can be used for extremely targeted social engineering attacks on the customers involved.

Organisations in every sector increasingly rely on digital technologies to deliver their services; therefore, the key learning lesson for businesses that hold private information should ensure they have clearly defined security policies and procedures to avoid any information leak. In this instance, an exposed API has provided an open gateway for cybercriminals to scrape personal data from, and this may have been avoided by a thorough auditing of the API environment together with application security scanning to detect associated vulnerabilities.

From a reputation protection standpoint, being in the spotlight for data protection transgressions is not good for business. This story serves as a reminder for all organisations to invest appropriately in application security, data protection and cyber defences, and wherever possible to ensure that they have their approach to data security validated by trusted independent third parties, against technical controls.

Last edited 7 months ago by Steven Wood

Recent Posts

Would love your thoughts, please comment.x