The API allows anyone [...] to feed an email address into the API and confirm if it is associated with a valid DuoLingo account.
So any email address in the leak must've been leaked before or brute forced. I'd assume the scraper simply used leaks which were already public which would explain the 100% match against HIBP.
Gregory's Server
@alessandrolai @haveibeenpwned
From BleepingComputer:
>
The API allows anyone [...] to feed an email address into the API and confirm if it is associated with a valid DuoLingo account.
So any email address in the leak must've been leaked before or brute forced. I'd assume the scraper simply used leaks which were already public which would explain the 100% match against HIBP.