Duolingo: Leak with 2.6 million user records, check for 'Have I been Pwned' possible

Sicherheit (Pexels, allgemeine Nutzung)[German]Vulnerabilities in the language learning app/platform API from Duolingo allows to scape user data. Now Troy Hunt has integrated a data set with information on 2.6 million Duolingo users into his platform 'Have I been Pwned'. And if I've noticed correctly, the vulnerabilities in the Duolingo API still haven't been fixed yet.


For background, Duolingo is a freemium online service for learning languages. It was created with the goal of making education available to everyone for free. The company of the same name has been listed on the US technology exchange NASDAQ since 2021. At the end of March 2023, it had around 72.6 million active monthly users and 4.8 million paying customers.

I myself installed the Duolingo app on an Android device to get a taste of a language and brush up on old skills. However, I have never registered an account with this provider, so I am not affected by the hack.

Duolingo data leak

It seems that 2.6 million records of Duolingo users surfaced in a hacker forum in January 2023. Colleagues at Bleeping Computer write here that it was the now-closed Breached hacker forum. A hacker pulled this personal data via the Duolingo API and originally offered it for $1,500.

According to Bleeping Computer, this data includes a mix of public login and real names, as well as non-public information, including email addresses and internal information related to the Duolingo service. The user's name and login name are arguably public, but the associated email address is not. There is a risk that this email address is now being used for phishing and other attacks.

Originally, Duolingo had classified the data as genuine. The days then vx-underground again came across the of 2.6 million Duolingo records, which were now offered in an updated version. This data was retrieved via an application programming interface (API) that has been publicly available since at least March 2023. It is known how to use this API. It is enough to enter a username to get the corresponding email address via API and vice versa.

BleepingComputer writes that this API is still accessible to anyone on the Internet, even after its misuse was reported to DuoLingo in January 2023. So the data leak is still open.


Data on Have I been Pwned

I already came across the following tweet the other day from Troy Hunt, who runs the website 'Have I been pwned' (HIBP). Troy Hunt then asked in the above tweet if anyone had a link to this data and if they could probably get the records.

Duolingo user data leaked

In the meantime, he seems to have received the data sets and has integrated them on his platform.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *