Duolingo is one of the largest language learning sites in the world, with over 75 million monthly users worldwide. The scraped data of 2.6 million people, which was on sale in January 2023 with a starting price of $1,500, is now available on the cybercrime marketplace BreachForums for just 8 credits, worth $2.13.
The shared data contains email addresses, usernames, names, phone numbers, information about social networks, and other generic info such as language studies, experience, progress and achievements.
This data was scraped using an exposed application programming interface (API). The API allows anyone to submit a username and retrieve the user’s public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account. Scrapers can feed millions of email addresses, likely exposed in previous data breaches, into the API, and confirm if they belong to DuoLingo accounts. These email addresses can then be used to create the dataset containing public and non-public information.
Read more about it here.