API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names

Duolingo Investigates Data Leak as Hacker Shares Personal User Information on Hacker Forums and Telegram.

It is worth noting that Duolingo has not suffered a data breach; the data leak was a result of web scraping through public API abuse.


  • Extensive User Impact: The breach affects a substantial user base, with the personal data of over 2.6 million individuals exposed.
  • Comprehensive Data Set: The compromised information includes diverse details like usernames, full names, email addresses, countries, language course subscriptions, and account creation dates.
  • Vulnerable API Exploitation: The breach was executed through the exploitation of a public API, highlighting the potential risks posed by publicly accessible interfaces.
  • Data Misuse Concerns: The breadth of exposed data raises concerns about potential misuse, including identity theft, phishing, and cybercrime targeting affected users.
  • Heightened Privacy Risks: Users’ privacy is at stake due to the depth of sensitive data exposed, emphasizing the need for robust cybersecurity measures in safeguarding personal information.

A hacker has recently disclosed the personal information of approximately 2.6 million users of the popular language-learning platform, Duolingo. Contrary to a conventional data breach where hackers infiltrate an organization’s servers, this incident involved the exploitation of a public API.

The hacker, who also serves as a moderator on the Breach Forums, managed to scrape user data in January 2023, leading to the exposure of account-related details for a vast number of Duolingo users.

Duolingo, known for its accessible and engaging language courses, was caught off guard by the incident. The breach, while not originating from a direct assault on Duolingo’s servers or infrastructure, highlights the complex challenges organizations face in safeguarding user information in a hostile and uncertain environment created by threat actors.

Leaked Data

Hackread.com has examined and analyzed the exposed data, shedding light on its contents. The dataset encompasses the personal information of a staggering 2,658,787 users. This encompassing collection includes critical details such as:

  • Full names
  • Usernames
  • Email addresses
  • Countries of origin
  • The precise dates of account creation
  • The language courses to which users have subscribed

Notably, the gravity of the breach escalated when, prior to the public leak, another threat actor attempted to sell the same dataset for $1500. The revelation of the data on hacker forums and Telegram channels has only exacerbated concerns regarding user privacy and the potential misuse of exposed information.

Screenshot from the leaked Duolingo data (Image credit: Hackread.com)
Duolingo data leaked and sold on Breach Forums (Image credit: Hackread.com)

Duolingo, in response to the breach, is diligently investigating the situation and has intensified its efforts to secure user data. The incident has catalyzed discussions about the protection of user information in an era where APIs, often considered as open doors to data, require heightened vigilance.


While distinct from a conventional data breach, the exposure of email addresses and full names of 2.6 million Duolingo users still constitutes a significant privacy breach. This incident raises considerable concerns as it exposes individuals to potential risks such as targeted phishing attempts, identity theft, and cyberattacks.

Hackers armed with such specific personal information can craft convincing phishing emails, posing as legitimate entities, to deceive users into sharing further sensitive details or clicking on malicious links.

Moreover, the divulgence of full names can aid cybercriminals in constructing more credible and convincing social engineering schemes, increasing the likelihood of successfully breaching users’ accounts or even conducting scams. As such, even seemingly basic information leaks can lead to severe consequences for affected users.

In an environment where personal data is an invaluable currency, Duolingo data scraping stands as a testament to the ever-evolving methods of hackers and the pressing need for organizations to remain resilient against cyber threats.

As users await the outcome of Duolingo’s investigation, the incident underscores the collective responsibility to maintain digital security and protect user data from falling into the wrong hands.

  1. Hackers leak scraped data of 87,000 GETTR users
  2. A hacker is selling 700 million LinkedIn users accounts
  3. Facebook sues developer of data scraping extensions for Chrome
  4. Facebook sues Ukrainian for scraping and selling 178m users’ data
  5. Data scraping firm leaks 235m Insta, TikTok, YouTube user records
Related Posts