Duolingo

In early 2023 an attacker exploited a vulnerable Application Programming Interface API on the Duolingo language learning platform to scrape data from approximately 2.6 million accounts. The vulnerability allowed the threat actor to input email addresses and receive linked account details. The scraped dataset includes public profile information combined with non public email addresses. The data was initially offered for sale on a hacking forum in January and later leaked for free in August 2023. This incident highlights risks associated with exposed API endpoints that can be used for large scale data harvesting.