Duolingo Cites Data Scrape for Exposing Nearly 3M Email Addresses

Duolingo said the incident that exposed nearly 3 million user email addresses was not a system hack, but rather a data “scrape” from public profiles using an exposed application programming interface (API). The company issued the statement following last week’s news of the compromise. 

“Our investigation confirmed that this was not a breach or a hack; it was a scrape of data from public Duolingo profiles,” a spokesperson said. “No Duolingo systems or private user data were compromised. 

“Regardless, as a precautionary measure we have taken some steps to limit this from happening again. We have put in place rate limits on the specific API endpoint to make it more difficult for attackers to abuse. We take data privacy and security seriously and will continue to constantly evaluate our security measures to ensure learner safety.”

Like what you're reading? For more stories like this on emerging technologies, sign up for our free daily email newsletter to stay updated!

The exposure of users’ information was first disclosed in January, though the selling of their personal email addresses online was only recently discovered.

According to Duolingo’s own investigation, these email addresses were not obtained from its systems but from other sources, with these addresses then fed into a public API and matched with Duolingo usernames. 

Related:Duolingo Data Breach Exposes 3 Million User Emails

“This API was public in order to power the ‘Find My Friends’ feature which allows learners to look up their friends on Duolingo using an email address,” according to a company statement. “This API is being rate limited to prevent this type of exploit in the future.”