-
A threat actor claims to be selling a database containing more than 500 million alleged Duolingo user records.
-
Neither Duolingo nor independent cybersecurity researchers have verified the advertised dataset or its source.
-
Security experts urge users to stay vigilant because cybercriminals often recycle older datasets to attract buyers.
A threat actor has listed what they claim is a database containing more than 500 million Duolingo user records on an underground forum. The alleged sale has drawn attention across the cybersecurity community. However, nobody has confirmed whether the dataset is genuine.
According to Daily Dark Web Intelligence on X, the seller published the listing with a sample of the alleged records. The post also included contact information for potential buyers.
The threat actor claims the database contains usernames, display names, email addresses, phone numbers, and language preferences. The listing also mentions learning statistics, device identifiers, and account metadata.
The seller further claims the records include verification status, subscription plans, XP totals, leagues, achievements, learning streaks, account creation dates, and recent activity timestamps. The listing also references password hash indicators. However, the seller provided no evidence confirming they represent actual password hashes or authentication data.
Duolingo has not addressed the listing publicly. Independent cybersecurity researchers have also not verified the dataset, its origin, or its age.
Threat Actor Claims Massive User Database
The advertised database would mark one of the largest alleged Duolingo data exposures if investigators confirm the claims. However, security experts continue urging caution until independent analysis becomes available.
Cybercriminals frequently advertise stolen databases without proving their authenticity. The scale of such exposures is a growing concern; a global breach recently exposed 149 million passwords, demonstrating the massive pool of credentials available to criminals.
Some sellers exaggerate record counts to attract buyers. Others combine several older datasets into one package before offering them for sale.
Researchers, therefore, recommend treating the latest listing as an unverified claim instead of confirmed evidence. They say independent validation remains essential before anyone confirms a security breach.
Earlier Exposure Returns to Focus
The latest claim has revived discussions about an earlier Duolingo data exposure disclosed almost three years ago. During that incident, attackers scraped information linked to about 2.6 million users through a publicly accessible application programming interface, or API.
The attackers matched usernames with email addresses to collect publicly available profile information. The scraped records included names, usernames, learning progress, and other profile details. They did not obtain user passwords.
Duolingo later explained that attackers gathered information from public profiles instead of exploiting its systems through a traditional breach.
If investigators authenticate the newly advertised database, the alleged exposure would far exceed the previously reported incident. Until then, researchers advise against drawing conclusions from the underground listing alone.
Experts Advise Users to Stay Alert
Researchers say users should remain cautious even without evidence of a new compromise. Criminals often reuse information collected during previous incidents for future attacks.
Attackers could use those records to launch phishing emails or fraudulent text messages. Personalized messages often appear more convincing when they contain genuine account details.
Security professionals recommend enabling multi-factor authentication whenever possible. They also encourage users to create unique passwords for every online account. Reusing passwords across multiple services increases the risk of account compromise.
Users should also monitor their email accounts for suspicious login alerts, unexpected password reset requests, and other unusual activity. Quick action can reduce the chances of further abuse.
Duolingo has not confirmed the advertised database. Independent researchers have also not authenticated the seller’s claims. Users should therefore treat the listing as an allegation until credible evidence proves otherwise.
Cybersecurity researchers will continue monitoring underground forums for additional samples and technical evidence. Their findings should determine whether the records contain newly compromised information, recycled data, or several historical datasets merged together.
Until investigators complete that process, the alleged database remains an unverified claim rather than confirmation of a new Duolingo data breach.