Security & Privacy

2.6 million Duolingo users’ accounts exposed in data leak

Posted on by

Duolingo is a popular language-learning app and site with more than 74 million monthly active users. The company recently suffered a data leak resulting in the exposure of more than 2.6 million users’ e-mail addresses and other information. Here’s what you need to know.

In this article:

What is the timeline of the Duolingo user data leak?

In January 2023, a hacking forum user claimed to have the e-mail addresses of 2.6 million users of the service and was selling the list for $1500 or best offer.

What else was exposed in the Duolingo data leak?

Other leaked data associated with those e-mail addresses, too. This appeared to include users’ real name, username, account avatar, bio, and native language. The data also indicated which e-mail addresses were verified, and whether Facebook or Google accounts were connected.

Thankfully, the leak did not contain user passwords.

On the same day as the leaked data was posted, security news site The Record contacted Duolingo. The company responded:

“These records were obtained by data scraping public profile information…

“No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.”

The resurfacing and wider exposure of the leaked Duolingo data

On August 21, the X (Twitter) account of vx-underground, a popular malware repository, posted about the breach on August 21. The post stated that the Duolingo account information was obtained through “a bug in the Duolingo API.”

A follower responded that the so-called API bug was actually a known flaw; anyone can find out such details about any Duolingo user, simply by knowing their registered e-mail address and querying the site.

Presumably, that’s how the leaker obtained data about 2.6 million accounts in the first place. Quite likely, the leaker sent millions of queries about known e-mail addresses to Duolingo, and Duolingo’s servers responded with data whenever there was a match.

According to security news site BleepingComputer, vx-underground had encountered the same data mentioned in the January leak, now fully exposed—not behind a paywall—on another hacking forum.

On August 22, BleepingComputer confirmed that the API was still subject to the same scraping attacks that were exploited to obtain the leaked data back in January. The news site said that it had contacted Duolingo asking why the API was still exposed, but had not yet received a response from the company.

Finally, on August 23, popular data leak information site Have I Been Pwned added the more than 2.6 million e-mail addresses to its database. Anyone who wishes to find out whether their e-mail address was exposed in the Duolingo leak—or any of 700 other data leaks or breaches—can simply search for their address at haveibeenpwned.com.

How can I minimize exposure from similar data leaks?

Unfortunately, companies often expose user data, and often it isn’t treated as a serious matter.

One way that users can avoid exposing their information in such leaks is to use a unique e-mail address for each service.

Thankfully, that’s not as inconvenient as it may sound; you don’t need to register multiple e-mail accounts and check each and every one separately. There are at least two major services that offer anonymous e-mail forwarding.

The first is Hide My Email, included with Apple’s iCloud+ service; it starts at $0.99 per month, and is integrated with iOS and macOS. The second is DuckDuckGo Email Protection, which is a bit more complicated to use, but is free. Check out our comprehensive comparison of Hide My Email and DuckDuckGo Email Protection.

Which Is Better: Apple’s Hide My Email or DuckDuckGo Email Protection?

We discussed these e-mail privacy services on episode 255 of the Intego Mac Podcast.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →