Skip to content

Duolingo, Looks Like You Missed Your API Security Lesson Today!

Bite Sized Breaches Hero Image

Introduction

Duolingo and its iconic big green bird mascot are famous for their notifications about missing language lessons. But even the most diligent learners can sometimes miss a lesson, and it appears that Duolingo itself skipped a crucial one – lessons on API Security. This oversight recently led them into a bit of a pickle, as hackers swooped in and managed to scrape the data of 2.6 million Duolingo users. So, let's spread our cyber-wings and take a closer look at the details of this breach!

The Breach Unveiled

Let’s talk about the data. The scraped data of 2.6 million Duolingo users made its way to a hacking forum. The exposed information included users' email addresses, usernames, names, and even phone numbers if they provided them. That's already a lot of personal info floating around out there. But wait, there's more! Social network details, language-learning progress, achievements – you name it, all cozying up together in this unfortunate dataset.

The Public-Facing API: A Double-Edged Sword

So, how did this happen? It turns out that the Duolingo API allows any person to retrieve user profile information with a valid email address. A security researcher named Ivano Somaini tested this vulnerability in Duolingo's API extensively. He demonstrated that by manipulating a URL, he could extract various pieces of user data – information like a user's streak, profile picture, learning progress, and more. It's like stumbling upon someone's personal diary; even seemingly harmless entries can be pieced together to form a detailed picture.

Somaini's discovery showcased how the API yielded a treasure trove of user information, including information about a user's learning languages, XP points, crowns, and even indicators of whether the account was associated with Facebook or Google. This exposure reveals the complexity of modern APIs and the delicate balance between functionality and security.

Duolingo’s Response

A Duolingo spokesperson responded by saying that the records were obtained by data scraping public profile information and that there is no indication that their systems are compromised. “The API used in this incident is intentionally made public to help our learners find friends who are also using Duolingo. Duolingo learners have the option to make their profiles private if they would prefer not to have their profiles publicly searchable,” the spokesperson commented.

While the intention behind facilitating connections among language learners is commendable, the recent data breach highlights the potential pitfalls of the approach. The breached data included information scraped from public profiles, which inadvertently exposed users to privacy risks.

Check Yourself Before You Wreck Yourself

Now, we're not here to spread panic. Instead, we want to empower you with knowledge. There's a nifty website called "Have I Been Pwned" that lets you check if your info has been compromised in data breaches. They tweeted that a whopping 100% of the Duolingo breach data was already in their database. So, take a moment, head over to their site, and see if you've been caught in the crossfire.

Tips to Safeguard Yourself

As we navigate these choppy waters, it's wise to take precautions. Changing your passwords regularly is like giving your online presence a fresh coat of armor. And remember, not all emails are friendly – some might be phishing attempts. Be vigilant when clicking on links or sharing your info online.

In a world where our personal data is like gold to cybercriminals, it's essential to stay informed and cautious. While the Duolingo breach is unfortunate, it's a reminder that we should all take steps to protect ourselves in this digital realm. So, go ahead, tighten up those passwords, and keep an eye out for any sneaky phish swimming your way. Stay safe out there!

Learning from the Breach: A Lesson in API Security

The Duolingo data breach serves as a reminder that even major players in the digital realm can have gaps in their cybersecurity armor. In this case, the breach hinged on an exposed public-facing API – the doorway through which applications communicate and share data. It's a bit like leaving a window open in a house; eventually, someone might slip in unnoticed. Unfortunately, despite being reported to Duolingo in January, the API remains accessible to the public. 


In the realm of cybersecurity, a proactive approach is crucial. The Duolingo breach teaches us that promptly addressing reported vulnerabilities is essential. Furthermore, periodic audits and continuous monitoring of public-facing APIs can prevent such incidents from occurring. Just as a well-secured house requires regular checks on its windows and doors, digital systems demand consistent evaluation to keep potential vulnerabilities at bay.