October 3, 2023

Threat actors have exposed 2.6 million DuoLingo users` data on the dark web. The sale was posted on August 22nd for a cost of only $2.13. The scraped DuoLingo data was previously for sale on another dark forum, in January 2023, at a cost of $1,500.

The DuoLingo data was scraped due to an exposed API. Starting at least March 2023, researchers publicly shared how to use the API that enables anyone to submit a username and retrieve JSON output with the user’s public profile details.

The API enabled the scraper to use millions of email addresses previously exposed in other data breaches to create a dataset that matched public and non-public information regarding the email addresses owners.


More than 74 million people worldwide use DuoLingo monthly to learn a foreign language. The giant language learning platform is available from a desktop, Android or iPhone. They even offer a version for schools. While some of the data are public, the ability of correlating them to non-public data, such as the email address or phone numbers, poses a risk. Threat actors use this kind of data for phishing attacks and online impersonation.

Although educating employees is a mandatory, you should never rely only on your colleagues` ability to spot a phishing email or a fraud in time. Enforce email security measures and multi-factor authentication to protect your digital assets and prevent a Business Email Compromise attack.

Leave a Reply

%d bloggers like this: