Duolingo: Difference between revisions

Line 29:

==Incidents==

=== Abusing iPhone Dynamic Island Feature for advertising (2026) ===

Ignoring Apple's app store guidelines, the company used the Dynamic Island feature, an area of the iOS screen reserved for notifying users of progress of background processes, to push a sales promotion with a countdown via its iPhone app.<ref>{{Cite web |last=Schwan |first=Ben |date=2026-01-05 |title=Duolingo is putting ads in Apple's Dynamic Island – even though it's not allowed |url=https://www.heise.de/en/news/Duolingo-is-putting-ads-in-Apple-s-Dynamic-Island-even-though-it-s-not-allowed-11128917.html |access-date=2026-01-05 |website=Heise Online}}</ref>

===Data breach (2023)===

In January 2023, the data of 2.6 million users were posted to an online hacking forum for $1,500.<ref>{{Cite web|url=https://www.bleepingcomputer.com/news/security/scraped-data-of-26-million-duolingo-users-released-on-hacking-forum/|title=Scraped data of 2.6 million Duolingo users released on hacking forum|first=Lawrence|last=Abrams|work=Bleeping Computer|date=2023-08-22|access-date=2025-03-26|archive-url=https://web.archive.org/web/20250309233352/https://www.bleepingcomputer.com/news/security/scraped-data-of-26-million-duolingo-users-released-on-hacking-forum/|archive-date=2025-03-09|url-status=live}}</ref> The data were scraped from a vulnerable API, with email addresses, usernames, languages spoken, and real names being included.<ref>{{Cite web|url=https://haveibeenpwned.com/PwnedWebsites#Duolingo|title=Pwned websites|work=haveibeenpwned.com|access-date=2025-03-26|archive-url=https://web.archive.org/web/20250309182649/https://haveibeenpwned.com/PwnedWebsites#Duolingo|archive-date=2025-03-09|url-status=live}}</ref> A spokesperson for Duolingo stressed that "these records were obtained by data-scraping public profile information" and "no data breach or hack has occurred".<ref>{{Cite web|url=https://therecord.media/duolingo-investigating-dark-web-post-offering-data-from-2-6-million-accounts|title=DuoLingo investigating dark web post offering data from 2.6 million accounts|first=Jonathan|last=Greig|date=2023-01-23|work=The Record.|access-date=2025-03-26|archive-url=https://web.archive.org/web/20250307194542/https://therecord.media/duolingo-investigating-dark-web-post-offering-data-from-2-6-million-accounts|archive-date=2025-03-07|url-status=live}}</ref>

@@ Line 29: / Line 29: @@
 ==Incidents==
+=== Abusing iPhone Dynamic Island Feature for advertising (2026) ===
+Ignoring Apple's app store guidelines, the company used the Dynamic Island feature, an area of the iOS screen reserved for notifying users of progress of background processes, to push a sales promotion with a countdown via its iPhone app.<ref>{{Cite web |last=Schwan |first=Ben |date=2026-01-05 |title=Duolingo is putting ads in Apple's Dynamic Island – even though it's not allowed |url=https://www.heise.de/en/news/Duolingo-is-putting-ads-in-Apple-s-Dynamic-Island-even-though-it-s-not-allowed-11128917.html |access-date=2026-01-05 |website=Heise Online}}</ref>
 ===Data breach (2023)===
 In January 2023, the data of 2.6 million users were posted to an online hacking forum for $1,500.<ref>{{Cite web|url=https://www.bleepingcomputer.com/news/security/scraped-data-of-26-million-duolingo-users-released-on-hacking-forum/|title=Scraped data of 2.6 million Duolingo users released on hacking forum|first=Lawrence|last=Abrams|work=Bleeping Computer|date=2023-08-22|access-date=2025-03-26|archive-url=https://web.archive.org/web/20250309233352/https://www.bleepingcomputer.com/news/security/scraped-data-of-26-million-duolingo-users-released-on-hacking-forum/|archive-date=2025-03-09|url-status=live}}</ref> The data were scraped from a vulnerable API, with email addresses, usernames, languages spoken, and real names being included.<ref>{{Cite web|url=https://haveibeenpwned.com/PwnedWebsites#Duolingo|title=Pwned websites|work=haveibeenpwned.com|access-date=2025-03-26|archive-url=https://web.archive.org/web/20250309182649/https://haveibeenpwned.com/PwnedWebsites#Duolingo|archive-date=2025-03-09|url-status=live}}</ref> A spokesperson for Duolingo stressed that "these records were obtained by data-scraping public profile information" and "no data breach or hack has occurred".<ref>{{Cite web|url=https://therecord.media/duolingo-investigating-dark-web-post-offering-data-from-2-6-million-accounts|title=DuoLingo investigating dark web post offering data from 2.6 million accounts|first=Jonathan|last=Greig|date=2023-01-23|work=The Record.|access-date=2025-03-26|archive-url=https://web.archive.org/web/20250307194542/https://therecord.media/duolingo-investigating-dark-web-post-offering-data-from-2-6-million-accounts|archive-date=2025-03-07|url-status=live}}</ref>