Duolingo
What Happened
In August 2023, 2.6M records of data scraped from Duolingo were broadly distributed on a popular hacking forum. Obtained by enumerating a vulnerable API, the data had earlier appeared for sale in January 2023 and contained email addresses, names, the languages being learned, XP (experience points), and other data related to learning progress on Duolingo. Whilst some of the data attributes are intentionally public, the ability to map private email addresses to them presents an ongoing risk to user privacy.
Compromised Data
Recommended Actions
Monitor for Suspicious Activity
Watch for unusual login attempts, spam and phishing emails.
Breach Overview
-
Affected Accounts:
2.7 million
-
Breach Occurred:
January 2023
-
Added to HIBP:
23 Aug 2023
Recommended Actions
Change Your Password
If you haven't changed your Duolingo password since 2023, do so immediately.
Enable Two-Factor Authentication
Add an extra layer of security to your account.
Check Other Accounts
If you used the same password elsewhere, change those too.
Monitor for Suspicious Activity
Watch for unusual login attempts or messages from your account.
