Duolingo—Duolingo API vulnerability exposed 2.6 million users' personal data including emails

Aug 1, 2023

In August 2023, data from 2.6 million Duolingo users was released publicly after an API vulnerability allowed scraping of user information. The exposed data included real names, login names, email addresses (not meant to be public), languages learned, XP points, and learning progress. The vulnerability was first exploited in January 2023 when data was offered for sale for $1,500. Despite a researcher publicly disclosing the API flaw in March 2023, the API remained accessible. Duolingo called it 'a scrape' rather than a breach.

Scoring Impact

Topic	Direction	Relevance	Contribution
Data Security	-against	primary	-1.00
User Privacy	-against	primary	-1.00
Overall incident score =			-0.443

Score = avg(topic contributions) × significance (high ×1.5) × confidence (0.59)× agency (negligent ×0.5)

Evidence (1 signal)

Confirms Policy Change Aug 22, 2023 verified

Duolingo data from 2.6 million users released after API scraping

Data from 2.6 million Duolingo users was released publicly after API vulnerability allowed mass scraping of user information including emails.

Bleeping Computer

Related: Same Topics

Flutterwave · Lost ₦11 billion ($7M+) in security breach as perpetrators illegally transferred funds

Apr 1, 2024

Computacenter · Allegedly fired manager who reported Deutsche Bank security breach

Jul 1, 2023

LY Corporation · Suffered major data breach affecting 520,000 users due to shared infrastructure with Korean parent

Oct 9, 2023

ByteDance · China-based ByteDance employees repeatedly accessed nonpublic data of US TikTok users

Jun 17, 2022

Coinbase · Insider data breach exposed 69,461 customers' sensitive data, costing $355+ million

Dec 26, 2024