Is Duolingo safe? Here’s everything you need to know about it

Duolingo is a language-learning app designed to be user-friendly and engaging. It was founded in 2011 and saw quick success mostly due to its gamified approach to education, which makes the process of learning a new language both effective and enjoyable. Duolingo allows a broader audience to learn foreign languages easily — it’s free to use with optional premium features.

Duolingo offers courses for over 30 languages, including less commonly taught ones like Welsh and Swahili. The app uses listening exercises, flashcards, and interactive stories to cater to different learning styles. Each lesson is designed to be bite sized, allowing users to learn at their own pace, anytime and anywhere.

The Duolingo app is legal and available even in China (after years of being blocked), proving that the app is widely recognized as a safe and useful tool. However, some schools and businesses categorize it as a social networking app and block their students’ or employees’ access to it. In this case, a VPN can help you unblock and safely access Duolingo.

When you start using Duolingo, you have to select a language and take a test to determine your skill level. Then the first lesson begins — you have to translate, match words with images, listen to phrases and write them out, and do speaking exercises. Once you’re done with your first lesson, you must create an account to continue using the app.

In order to encourage you to stick to your lessons, Duolingo uses a system of rewards and streaks — you have to do your lessons every day to keep your streak going. This encourages you to practice daily, turning language learning into a habit. The app will also monitor your progress and mistakes to customize future lessons so that you can focus on areas where you need to improve. The social aspect only adds to the attraction — connecting with friends who also use Duolingo, competing in leaderboards, and participating in community events brings a competitive edge to learning.

Yes, generally speaking, Duolingo is safe — to a point. Popular apps with a large user base are tempting targets for cybercriminals — the more users an app has, the more data is available for potential theft. In the case of a data breach, lots of personal information, including email addresses, passwords, phone numbers, and other sensitive data, could be stolen and used for phishing, identity theft, or credential-stuffing attacks.

Duolingo has indicated a strong commitment to protecting its users’ privacy and data. It allows you to control your information on the Duolingo Data Vault. — access and download it, request data erasure, and request account deletion. While it’s something that all companies should be doing to comply with data protection regulations like GDPR, not many apps offer such easy data management.

Duolingo has stated that it uses various security measures (like SSL encryption) to protect data in transit as well as a strong password policy. However, Duolingo has not released any reports about what encryption or other security mechanisms it uses to secure the user data stored on its servers. It has also issued no statements about undergoing internal or external security audits. This is not uncommon for many companies — they often choose to not share detailed specifics of their security infrastructure.

Duolingo collects various types of data, mainly related to teaching and learning. It includes the languages you’re learning, which skills and lessons you have completed, your personal in-app dictionary, time logs of when you use Duolingo and for how long, and what in-app purchases you’ve made. Developers state that they use this data to improve and tailor the language courses and teaching methods.

Duolingo will also collect some metadata, which includes the device, operating system, and the app version you’re using. This data helps the developers improve their app and find bugs and fix them.

And then there’s the personal data you enter when you’re creating your account — email address, password, age, and phone number. If you use your Google, Facebook, or Apple account to create a profile, Duolingo will receive information about you from those accounts, which could include your contacts and email address.

Duolingo had a data breach in August of 2023, when the scraped data of 2.6 million Duolingo users was leaked on a hacking forum.

The data set included publicly available names and usernames, private email addresses, phone numbers, experience levels, languages being learned, learning progress, achievements, social media information, country, role, courses, subscriptions, and account creation dates​.

The breach happened because of an exposed application programming interface (API) that allowed anyone to submit an email address and confirm if it was used to create a Duolingo account. The API would return personal data associated with the username.

Duolingo’s spokesperson stated that the records were gathered by scraping publicly available information, and there’s no indication that Duolingo’s systems were compromised. According to Duolingo, the email addresses were obtained from other websites, and the API was intentionally made public. It is meant to allow you to find friends who also use the app, so making your profile private would make you unsearchable.

So, is Duolingo dangerous? Not necessarily. Although it is still unknown how the attackers managed to get the email addresses of 2.6 million users, the information they gathered is not particularly sensitive. Still, it can be used in targeted attacks or for doxxing.

Good cyber hygiene is key, so here are a few things to keep in mind while using Duolingo (or any app, for that matter):

• Go to “Settings” on your Duolingo app and make sure your profile is not public to help protect your personal data, limit unwanted contact, and reduce online exposure​. Consider doing so for all your apps and online accounts.
• Limit the permissions the app has — only grant permissions necessary for its functionality. Excessive permissions can be a red flag, so if an app seems suspicious, look for alternatives with more privacy-friendly settings if needed​.
• Keep your apps updated to get the latest security and privacy features and reduce the risk of security breaches.
• Delete apps you no longer use — they can still collect data about you or have a vulnerability that’s never patched and become a security risk.
• Use strong and unique passwords for every account. It’s easy to opt for a social media login, but using your email and a password to create an account is much safer. Having a tough time remembering all the passwords? Get a password manager to help you out.

You can read our blog post to learn more about apps tracking your personal data and general tips for app security.