cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Duolingo hit by scraping attack, as millions of user details for sale

Duolingo is investigating a data-scraping incident following a post on a well-known data breach forum offering the data of Duolingo users for sale.

user icon David Hollingworth
Fri, 27 Jan 2023
Duolingo hit by scraping attack, as millions of user details for sale
expand image

The post was made on the Breached forums on 24 January and was reported by a security specialist on Twitter the same day. The next day, Duolingo acknowledged the issue, telling The Record that the data was from public profile information.

“No data breach or hack has occurred,” a Duolingo spokesperson told The Record. “We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.”

There is no notice from Duolingo on its site or social media feeds of the account details for sale.


The post in question claims to have scraped the user data of 2.6 million Duolingo users, including usernames, emails, and phone numbers. The data is being offered to anyone willing to pay US$1,500, and the poster — who goes by the username of House — has included a sample set of 1,000 people to browse.

“I am selling 2.6 million DuoLingo account entries that were scraped from an exposed API,” the post reads. “Starting price is $1,500 USD, but the price can be negotiated.”

A Telegram messaging address was then provided.

Some fellow Breached forum members questioned the worth of the data, and how recent it was. House insists the data is recent, and took over a week to scrape from the site, before posting the sample.

While some reports have noted this data is for sale on the dark web, Breached is in fact a clearnet site, and the Telegram address is usable in any web browser.

Data scraping is a problem for many companies. Facebook parent company Meta has struggled to fight data scrapers, and recently took legal action against data scraping company Voyager Labs. This was after Meta itself was hit with a hefty fine following the data of 530 million Facebook users being posted online.

The legality of data scraping is a contentious area. It is not legal per se, and many legitimate companies offer data scraping services. For instance, Crawlbase even has a specific page dedicated to scraping data from Duolingo, complete with an assertion that the company uses “high-quality rotating proxies to avoid blocked requests, IP bans, and CAPTCHAs with ease”.

The issue is that data scraping is often against the terms of service of many companies, which is in fact the argument Meta makes.

“This industry covertly collects information that people share with their community, family and friends, without oversight or accountability, and in a way that may implicate people’s civil rights,” Meta stated in a recent blog post.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.