Duolingo Data Breach Exposes 3 Million User Emails

Just under 3 million Duolingo users’ (2.68 million) email addresses were compromised and are being sold online following a data breach at the beginning of this year. 

According to new data from Surfshark, around a third of the compromised users were from U.S. accounts.

The new report found 967,000 U.S. email addresses were exposed, while accounts from South Sudan were second, followed by France and then the U.K.

“In total, 16.3M data points of Duolingo users were exposed,” the report said. “On average, each email account was leaked with five data points, such as language, profile picture, username, name, country or bio. Some user accounts got all of their details leaked.”

Duolingo first acknowledged the breach in January, including the exposure of public information such as user names. However, it was not known that users’ email addresses had been compromised, with these now appearing online for sale on hacking forums.

“The biggest concern is the exposure of email addresses — it could be used for phishing attacks,” the Surfshark report said. “People affected might receive personalized phishing emails, such as offering affordable courses related to the language they have been studying on Duolingo. This could be done using leaked names and origin countries, resulting in highly customized emails, possibly even in their own native languages.”

Related:Microsoft Identifies Russian Hacking Group in Teams Cyberattack

The data was reportedly accessed by scraping Duolingo’s database using an exposed application programming interface (API).