@alessandrolai @haveibeenpwned From BleepingComputer:...

@alessandrolai @haveibeenpwned
From BleepingComputer:

The API allows anyone [...] to feed an email address into the API and confirm if it is associated with a valid DuoLingo account.

So any email address in the leak must've been leaked before or brute forced. I'd assume the scraper simply used leaks which were already public which would explain the 100% match against HIBP.

Like 23 Aug 2023 at 6:05 | Wall-to-wall | Open on infosec.exchange