Data Breach

Duolingo Data Breach

2.6M records exposed • January 2023

Duolingo had a public door that let anyone look up user information if they knew how to ask. Hackers asked millions of times and collected data on 2.6 million users.

What Happened

An exposed API endpoint allowed attackers to scrape 2.6 million user records by iterating through the API. The data was sold on hacking forums.

Attack method: API scraping via exposed endpoint

What Data Was Exposed

Email addresses, Names, Profile information, Learning progress

Is your business exposed?

What to Do If You're Affected

1.
Be aware of potential phishing using your data
2.
Review Duolingo privacy settings
3.
Change password if reused elsewhere

Lessons for Businesses

• API security is critical for web applications
• Rate limiting prevents mass scraping
• Authenticated endpoints should not expose PII

Sources

https://www.bleepingcomputer.com/news/security/duolingo-data-breach-exposes-26-million-user-accounts/

Related Breaches

Linkedin, Facebook 2019

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required