1. Forum
  2. >
  3. Topic: Duolingo
  4. >
  5. "I've been hacked!" Ok, let's…


"I've been hacked!" Ok, let's be real about this.

So, I just want to make some things clear or we're going to end up with undue pandemonium. The word "hack" is getting used waaay too liberally these days. It is causing some undo stress for people who don't know what is going on. So, please let me explain in very plain terms what these claims are about.

I have never encountered (in my nearly 3 years of moderating) an instance of someone "hacking" an account like one sees in the movies. Most often, what happens, is either someone willfully gave out their information by accepting a classroom link (from someone other than a real teacher). Or they left their account logged into a computer and a family member or classmate took the opportunity to get in and cause some havoc.

If you're worried by all of the hack talk, here is what you can do to protect yourself.

-DON'T join a classroom, unless you're in a real class working with a real teacher.

-DON'T leave your account signed in if you're going to walk away from your computer.

-DON'T use the same password for your email account and Duolingo account.

If you joined a classroom run by anyone other than your legitimate teacher, leave that classroom. See This Discussion for how to leave a classroom.

So, I hope that clarifies some of that hack talk you've been hearing around the forums lately, and that you now understand how to keep your account secure.

Happy learning. ^_^

August 25, 2016


[deactivated user]

    Duolingo can do more here and I think they should.

    • They should restrict who can make a classroom.

    • There needs to a warning pop-up or something of the like that INFORMS people when they join a classroom of how the classroom leader has access to their Duolingo account and asks if they are still sure they want to join (if such a thing is already is place, it's clearly not doing its job seeing how confused people are about it)

    Duolingo wants to shrug off any responsibility here, but they provided this feature so they do owe it to users to prevent it from being abused or used maliciously and to actually inform users about it.

    Also, since this is a moderator here (and a very experienced one, no less) posting this, can we also assume there will be more done to stop these bra-, er, kids from spamming people's profiles with links to their classrooms?


    Your suggestion is solid. I recommend you post it in this discussion created by staff member Vivisaurus https://www.duolingo.com/comment/17349525

    As for moderators keeping people from posting classroom links on people's profiles, we have a very limited toolset to work with. It is already against the guidelines to post those links on the website (because it effectively works as an exchange of emails, which is forbidden by the guidelines.) This gives us the authority to talk to people once we discover they are sharing those links. But, certain things must be in place before we are able to take any further action. This community depends on the whole community, not just the moderators, to function in as a healthy community. So, spreading caution about the classroom is something everyone can do to help. :)


    How would you recommend restricting who can make a classroom?


    Truth is you cannot. The only good solution would be that any changes done by the classroom leader to someone's account should require the owner's confirmation.


    agreed, I just wanted to know what solution, if any, Ceid Donn had in mind.

    Also, not sure why this comment is getting downvoted. I see that Ceid now has something I would consider to be a solution (whether or not it is a good one being irrelevant at the moment), was it always there, or did Ceid edit the original comment? I honestly don't remember everything that's there now being there when I made my original response to it...


    Require them to give proof of their institution and then follow up on that. That could be something like the address of the school and relevant institutional phone number and then that gets verified. Textbook companies do this all the time.


    Given the incredibly huge user base of Duolingo, I suspect that that would be way too much work. They need something that can be fully automated. Textbook companies aren't dealing with these volumes, and the number of requests they get is more or less proportional to the books they sell.


    I've seen some people with their passwords in their bio. I̶f̶ ̶y̶o̶u̶'̶r̶e̶ ̶o̶n̶e̶ ̶o̶f̶ ̶t̶h̶o̶s̶e̶ ̶p̶e̶o̶p̶l̶e̶,̶ ̶y̶o̶u̶'̶r̶e̶ ̶b̶a̶s̶i̶c̶a̶l̶l̶y̶ ̶̶a̶s̶k̶i̶n̶g̶̶ ̶t̶o̶ ̶b̶e̶ ̶"̶h̶a̶c̶k̶e̶d̶"̶.̶ If you're one of those people with a password in their bio, you should take it out for the safety of your account. Would you put your credit card number or facebook password somewhere public? I hope the answer to that is no.


    Please, contact a moderator if you see that. As for blaming them if someone else signs into their account, I don't encourage that framing. Everyone could have their passwords in their bio and nothing would happen if there wasn't a person looking to take advantage. In ultimate terms, the fault belongs to the person who took advantage.

    Ok, ok. Some will call me out here for the whole rest of my post which asks people to be careful with their security. What prompted me to say what I did in this comment is because there is a concept called "victim blaming". And the "asking to be....xyz" struck cord in me that has to do with victim blaming. In this instance, we are talking about the security of a duolingo account. In other cases, we are using that logic to blame people for much more horrible things that happen to them because someone else decided to do something horrible to them. So, yes, if you put your password on your profile on the internet, there is a chance that someone will use it to mess with your account. If you are wearing your favorite dress and someone attacks you, it is the fault of the attacker, not the dress. I just wanted to make this clear because I'm super sensitive to certain claims that people were "asking for it."


    I've seen some a while back but not any recently, I'll be sure to alert a moderator if I see that again.

    As to the "victim blaming" thing, it was just a poor choice of words. I guess I can change it but I'm still wondering why anybody would be so stupid to put their password into their own profile bio, leaving them susceptible to someone just logging in with their account and getting their email, personal classrooms (if they have any), and to a lesser extent, draining their lingots to someone else.

    But then again, why would anybody want to hack a DUOLINGO account? Like seriously it's a language learning website, that's some low life stuff right there.

    Making a strong password(strong language): https://www.youtube.com/watch?v=Q00OZ_Xk24w


    The definition of hacking is simply gaining unauthorised access to a computer, account or data, so I doubt it's ever being used "too liberally". Whether or not the "hacker" is sitting behind walls of code and a thousand open programs isn't a part of it.

    You have also missed a key thing here - making sure your password is secure and not something ridiculously simple (i.e. Duolingo or password).


    Hello MissEngland, you are correct. That is the technical definition of hacking. But, I'm not addressing the technical terms of hacking. I'm addressing the fears that live in the popular imagination when people hear someone say "I've been hacked!".

    Let me share a story. When I was in Uni, I was friends with Tapeworm, author of This Book. I was treated to some great stories, but then they were a bit of a let down too, because afterwords it was like knowing the method to a magic trick. The methods were hardly as interesting as some, including myself had imagined. One method included a hacker hiding in a broom closet to observe someone putting in their password. That was it. That was the method of an almighty hack that shook the news some years ago.

    My post is about exposing the "magic" behind the claims. It's about giving people back their sense of power over situations they may have imagined were outside of their control.

    As for saying people were using the term "too liberally", you haven't had the week I've had (along with a few other moderators) chasing a horde of mostly bogus hacking claims. We had the case in which one or two people neglected the security of their accounts. They told their friends "I've been hacked", who told their friends "someone is hacking accounts!". A few of those friends had the grand idea to create a few fake accounts and "hack" them, spreading the idea that hackers were on the loose to ridiculous levels.

    It is much less interesting (but more appreciated by moderators) when someone admits "I left my computer on at school and someone signed in and wrote messages to people", rather than exclaims to everyone with eyes that "I've been hacked!" So, yes, in my mind, the term "hacked" was being used far too liberally.

    And then staff altered the School's feature to allow the latest ability, which topped the cake on this week. So, I'm totally not apologizing for trying to illustrate the reality of what has been happening here and reduce the awe and magic of people's claims that they've been "hacked". I feel I reached the appropriate audience with my wording.


    Completely got you... but I do think that some of the claims made must be somewhat valid. It just appeared to me that by labelling the claims as "liberal" you were almost dismissing them, but I'm sure that's not what you mean.

    Also, for the instance you mentioned, you mean you had instances of people creating fake accounts to claim those fake accounts were hacked?

    Also, it seems linda has just lost all of her progress on her account...


    It just appeared to me that by labelling the claims as "liberal" you were almost dismissing them

    Ah, ok. No, Duolingo takes these claims seriously.

    I'm not sure who Linda is, unless you mean LindaKanga? If it is LindaKanga, it might have something to do with her doing the English for Korean speakers course. If it is someone else, please have them log out, request a new password be sent to their email so they can change the password. Then collect any evidence they have about what may have happened and email it to Abuse@duolingo.com (Evidence can be screenshots of threats to compromise the account, bragging about it, etc.). However, if they recently signed into a course with a different base language than they usually have, have them sign back into one of their other courses and see if that restores things for them.


    Thank you for this! I've been off the forums for a few days so didn't know about this. Unfortunately, a few days after joining Duolingo I did join a classroom (before I knew about the dangers). I removed it just now. However, would I still be at risk of being "hacked"?


    That is a good question, one I don't have an answer for. There are some options to address the anxiety, however. 1. Change your password now. That way, if someone somehow saw your password (I'm not sure if that's how it even works), they can't use it once you change it. 2. If you don't want to change your password because you are attached to it, just make sure that your email has a different password. At the first sign of wonky activity, use your email to regain access to your account and change it then. Option 2 comes with a risk of course. They could remove courses and delete progress, etc. So, think carefully before making your choice.


    I don't understand what this new classroom craze is, or why it exists. Why in the name of the heck do you need to designate some random Duolingo user as your teacher?! Can someone clarify this for me?


    Thank you for this!

    Is it possible to make this a sticky post? Or your earlier one on how to leave a classroom?


    Sticky's are given out very sparingly. I cannot see asking for one for this, simply because it isn't actually a very wide spread phenomenon. It only seems that way because there is just a lot of hype about it at this present moment.

    What you can do, if you would, save a link to this discussion in your bookmarks. If you see someone mentioning that they've been hacked, give them a link and suggest that they read this and the post it is linked to. :)


    Just did so and noticed that I already had three amazingly instructive post of yours in my list (new user guide, troubleshooting form and the wiki) :-)


    Oh good! I'm very glad that my work here is having a positive impact on learners' experience with Duolingo. :)


    what are sticky posts?


    A "sticky" is a discussion that has been stuck to the top of a forum. If you go to the popular tab of a given forum, you will see such posts that say "sticky" next to them.


    Posts that are on the front of the discussions page and can't disappear with the -5 downvote rule.


    It's Good now ! C'est réglé maintenant


    I don't know if I was hacked or whatever, but my account became like one of those bot accounts and starts following random people. I changed my password twice and it won't stop. I unfollowed over 400 random "friends" on my account last week and 40 more popped up in a span of a few days. In my bio, there was also a shady link that I deleted immediately. I'm still able to access my account and change things, but it won't stop.

    What am I supposed to do?


    Hi AiliSYu,

    Did you change your password to Duoling and the email you have registered with Duolingo? It is a good idea if they do not have the same password. Next, make sure to log out of Duolingo if you are leaving your computer or phone where others are able to access it.

    Next, be sure ti file a bug report by going Here. Under the issues drop down menu, choose "Report abuse". It might take a couple of days to around 2 weeks for your bug ticket. If after 3 weeks you haven't gotten a reply back from staff and/or the situation is still happening, send another report, but this time select "Bug (other)." Make sure that you include your Reference number from the last report you sent in, which should arrive in your inbox within 24 hours of filing your first report.

    I hope this helps!

    Learn a language in just 5 minutes a day. For free.