Log in
Get Surfshark
Research
Digital democracy
Cybersecurity
Chart of the week
About research hub
Published:Aug 29, 2023

Cybersecurity|Cybersecurity statistics

US was hit the hardest by the Duolingo data leak

We all love to learn something new. But it's disheartening to learn that your favorite educational platform has experienced a data leak. Unfortunately, this happened to 2,676,690 Duolingo users whose email addresses were exposed and are now being sold online. The leak occurred by scraping Duolingo's data using an application programming interface (API), revealing a mix of both public and private information¹. Let’s see what lessons can be learned here.

Key insights

  • The US is the most affected country, with 967k unique email addresses exposed (that’s roughly the population size of Rhode Island!). This constitutes approximately a third of the compromised accounts. The outcome is unsurprising, given that the US holds the highest number of leaked accounts since 2004².
  • South Sudan comes in second, with five times fewer accounts leaked (175k) than the US. Spain follows in third place with 123k exposed accounts, followed by France with 105k, and the United Kingdom with 98k.
  • In total, 16.3M data points of Duolingo users were exposed. On average, each email account was leaked with five data points, such as language (5.3M), profile picture (2.7M), username (2.7M), name (2.2M), country (0.7M) or bio (6k). Some user accounts got all of their details leaked.
  • The biggest concern is the exposure of email addresses — it could be used for phishing attacks. Phishing continues to be the most common cybercrime for the third year in a row, with a total of 300,497 phishing victims in 2022³. People affected might receive personalized phishing emails, such as offering affordable courses related to the language they have been studying on Duolingo. This could be done using leaked names and origin countries, resulting in highly customized emails, possibly even in their own native languages.

Methodology and sources

The data was collected by our independent partners from a publicly available database and aggregated by email addresses. This data was then anonymized and passed on to Surfshark’s researchers to perform a statistical analysis of their findings.

For the complete research material behind this study, visit here.

References:

¹ TechRadar (2023). Millions of Duolingo users have scraped personal data sold online;² Surfshark (2023). Global data breach statistics;³ Surfshark (2023). Phishing statistics.
The team behind this research:About us

Related articles:

Data of almost 80k Facebook users leaked
Cybersecurity statistics | Feb 20, 2024

Data of almost 80k Facebook users leaked

80k Facebook users had their details leaked. Check out Surfshark’s chart of the week to learn which countries were affected the most and what the dangers of this leak are.
2023 cybersecurity wrapped: from crypto scams to AI risks
Cybersecurity statistics | Jan 2, 2024

2023 cybersecurity wrapped: from crypto scams to AI risks

Dive into the cybersecurity landscape of 2023 with our discoveries. Read about doubled crypto scam losses and navigate global data breach trends. Explore password leaks and companies affected by AI incidents.
Holiday shopping alert: retail breaches exposed
Cybersecurity statistics | Dec 12, 2023

Holiday shopping alert: retail breaches exposed

Since 2020, data breaches in the retail sector have impacted 280M accounts worldwide. A Surfshark study reveals the biggest retail breaches and identifies the countries that were affected the most.