Duolingo is the world's largest language learning website and app with over 74 million monthly users. According to Bleeping Computer, the leaked personal data of Duolingo users would allow hackers to carry out targeted phishing attacks.
In January 2023, an account on a hacker forum sold data collected from 2.6 million Duolingo users for $1,500, and the forum has since been shut down.
This data includes login credentials, real names, and non-public information, including email addresses and internal information related to Duolingo's service. While Duolingo user profiles publicly display real names and login names, email addresses are anonymized.
Ad selling 2.6 million Duolingo user data for $1,500
Duolingo confirmed to TheRecord that the data collected and sold was taken from public records, and that the service is investigating whether to take further precautions. However, Duolingo did not mention that email addresses were also listed in the data.
Data from 2.6 million users was released yesterday on a new version of the hacker forum for just $2.13. The data was collected using an application programming interface (API) that has been publicly shared since March 2023.
This Duolingo API allows anyone to submit a request for a user's public profile information. However, it is also possible to provide an email address to the API and confirm whether that address is associated with a Duolingo account.
BleepingComputer said the API remained publicly available even after its abuse was reported to Duolingo in January.
It's likely the hacker fed millions of email addresses—possibly exposed in previous data breaches—into the API to see if they belonged to Duolingo accounts. These email addresses were then used to create a dataset containing both public and non-public information.
Hacker re-uploads data of 2.6 million Duolingo users for a very cheap price
Companies tend to discard collected data because most of it is already public. However, when public data is mixed with private data such as phone numbers and email addresses, it makes the information exposed more risky and potentially violates data protection laws.
In 2021, Facebook suffered a massive data breach after its "Add Friend" API was misused to link phone numbers to the Facebook accounts of 533 million users. Ireland's Data Protection Commission (DPC) fined Facebook €265 million ($275.5 million) for causing the data breach. A recent bug in Twitter's API was used to scrape public data and email addresses of millions of users, leading to a DPC investigation. Duolingo has yet to explain why it left its API open to everyone after abuse reports.
Source link
![[Photo] Hanoi morning of October 1: Prolonged flooding, people wade to work](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/10/1/189be28938e3493fa26b2938efa2059e)
![[Photo] President of the Cuban National Assembly visits President Ho Chi Minh's Mausoleum](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/10/1/39f1142310fc4dae9e3de4fcc9ac2ed0)
![[Photo] Keep your warehouse safe in all situations](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/10/1/3eb4eceafe68497989865e7faa4e4d0e)
Comment (0)