Breached data of 2.6M Duolingo users available on hacking forum

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Duolingo data breach overview: 

• Who: The scraped data of more than 2.6 million Duolingo users has been made available on the cybercrime marketplace BreachForums. 
• Why: The breach of data is being blamed on a vulnerability in Duolingo’s application program interface. 
• Where: The breach affects consumers nationwide.

The scraped data of more than 2.6 million Duolingo users has been made available on an online hacking forum, as a result of an apparent breach of data against the popular language learning platform. 

Stolen Duolingo data was initially put up for sale on the now-shutdown Breached hacking forum in January, but is now available on a cybercrime marketplace known as BreachForums, reports Cybernews. 

The stolen data reportedly includes email addresses, usernames, names, telephone numbers, social network information and other generic information related to user activity in the Duolingo app. 

However, no email addresses were obtained from Duolingo systems, Duolingo tells Top Class Actions in a statement. The email addresses involved in this incident were previously obtained from other sources and then fed into a public API and matched with Duolingo usernames.

“This API was public in order to power the “Find My Friends” feature, which allows learners to look up their friends on Duolingo using an email address,” Duolingo says. “This API is being rate limited to prevent this type of exploit in the future.”

Duolingo learners can also choose to make their profiles private if they would prefer not to share their Duolingo profile and activity publicly.

The asking price for the scraped data was originally $1,500 back in January — a price that was noted as being open for negotiation — but can now be obtained for a total of 8 forum credits, the equivalent of $2.13, reports Cybernews. 

“Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!” the post on BreachForums states.

Duolingo says scraped data comes from public profile information

In a statement to Top Class Actions, Duolingo says its investigation confirmed this was not a breach or a hack but rather a scrape of data from public Duolingo profiles.

“No Duolingo systems or private user data were compromised,” the statement says. “Regardless, as a precautionary measure, we have taken some steps to limit this from happening again. We have put in place rate limits on the specific API endpoint to make it more difficult for attackers to abuse. We take data privacy and security seriously and will continue to constantly evaluate our security measures to ensure learner safety.”

Researchers with vx-underground warned in a post on X — formerly known as Twitter — that the leaked data will be used for a cyberattack known as doxxing, which could end up leading to targeted phishing attacks. 

In its post, vx-underground noted that a threat actor was able to identify a bug in Duolingo’s application programming interface which allowed them to receive generic account information of the app’s users. 

Duolingo was founded in 2011 and has more than 500 million registered users and more than 60 million monthly active users, according to CyberNews, which reports that it found user data on the platform remains available for scraping. 

In similar news, a number of class action lawsuits have recently been filed against healthcare systems and other companies in response to data breaches, over claims not enough was done to prevent them. 

Are you an active Duolingo user and concerned your data may have been scraped? Let us know in the comments!

Read About More Class Action Lawsuits & Class Action Settlements:

• Hospitality Staffing Solutions faces class action lawsuit following data breach
• Unum data breach affects half a million consumers, class action claims
• Discord.io experiences data breach, shuts down
• Progressive class action claims data breach allegedly affects 347,100 customers