TechnologyWebsite BuildersWordPress Hosting

Gravatar “Breach” Exposes Data of 100+ Million Users

The safety alert firm HaveIBeenPwned notified customers that the profile data of 114 million Gravatar customers had been leaked on-line in what they characterised as an information breach. Gravatar denies that it was hacked.

Right here’s a screenshot of the e-mail that was despatched to HaveIBeenPwned customers that characterised the Gravatar occasion as an information breach:


Gravatar Breach


I hate getting emails from this man 😭

— Troy Hunt (@troyhunt) December 6, 2021

Gravatar Enumeration Vulnerability

The consumer data of each particular person with a Gravatar account was open to being downloaded utilizing software program that “scrapes” the information.



Proceed Studying Under

Whereas technically that isn’t a breach, the style wherein consumer data was saved by Gravatar made it straightforward for an individual with malicious intent to acquire consumer data which might then be used as half of one other assault to achieve passwords and entry.

Gravatar accounts are public data. Nevertheless the person consumer profile accounts aren’t publicly listed in a means that may simply be browsed. Ordinarily an individual must know account data just like the username to be able to discover the account and all of the publicly out there data.

A safety researcher found in late 2020 that Gravatar consumer account data was recorded in numerical order. A information report from the time described how the safety researcher peeked right into a JSON file linked within the profile web page revealed an ID quantity that corresponded to the numerical quantity assigned to that consumer.


The issue with that consumer identification quantity is that the profile could possibly be reached with that quantity.


Proceed Studying Under

As a result of the quantity was not randomly generated however in numerical order, anybody wishing to entry the all of the Gravatar usernames might entry that data by requesting and scraping the consumer profiles in numerical order.

Data Scraping Occasion

A knowledge breach is outlined as when an unauthorized particular person beneficial properties entry to data that isn’t publicly out there.

The Gravatar data was publicly out there however an outsider must know the username of the Gravatar consumer to be able to achieve entry to the Gravatar consumer profile. Moreover the e-mail deal with of that consumer was saved in an insecure encrypted method (known as an MD5 hash).

An MD5 hash is insecure and may simply be unencrypted (also referred to as cracked). Storing e mail addresses within the MD5 format offered solely minor safety safety.

That implies that as soon as an attacker downloaded the usernames and the e-mail MD5 hash it was then a easy matter for the consumer’s e mail deal with to be extracted.

Based on the safety researcher who initially found the username enumeration vulnerability, Gravatar solely had “nearly no fee limiting” which implies that a scraper bot might request tens of millions of consumer profiles with out being stopped or challenged for suspicious habits.

Based on the news report from October 2020 that initially divulged the vulnerability:

“Whereas knowledge offered by Gravatar customers on their profiles is already public, the simple consumer enumeration facet of the service with nearly no fee limiting raises considerations close to the mass assortment of consumer knowledge.”

Gravatar Minimizes Consumer Data Assortment

Gravatar tweeted public statements that minimized the influence of the consumer data assortment.

Gravatar helps set up your id on-line with an authenticated profile. We’re conscious of the dialog on-line that claims Gravatar was hacked, so we need to clear up the misinformation. (1/4)

— (@gravatar) December 6, 2021

Gravatar was not hacked. Our service provides you management over the information you need to share on-line. The info you select to share publicly is made out there by way of our API. Users can select to share their full identify, show identify, location, e mail deal with, and a brief biography.

— (@gravatar) December 6, 2021


Proceed Studying Under

Final yr, a safety researcher scraped public Gravatar knowledge – usernames and MD5 hashes of e mail addresses used to reference customers’ avatars by abusing our API. We instantly patched the power to reap the general public profile knowledge en masse. (3/4)

— (@gravatar) December 6, 2021

The last tweet within the sequence from Gravatar inspired readers to learn the way Gravatar works:

“If you wish to be taught extra about how Gravatar works or alter the information shared in your profile, please go to”

Paradoxically, Gravatar linked to an insecure protocol of the URL, utilizing HTTP. Upon reaching the URL there was no redirect on Gravatar to a safe (HTTPS) model of the online web page, which solely undermined their efforts to undertaking a way of safety.

Twitter Users React

One Twitter consumer objected to the use of the phrase “breach” as a result of the knowledge was publicly out there.

I believe it was unfair of @troyhunt to categorise that as a breach. It was display screen scraping, they did not get something that wasn’t already publicly out there.

— Peter Morris #BlackLivesMatterToo (@MrPeterLMorris) December 6, 2021


Proceed Studying Under

The particular person behind the HaveIBeenPwned web site responded:

That’s why it says “scraped knowledge”. However you may additionally argue that “breach” is acceptable when the information is obtained and misused exterior the supposed scope with which it was offered.

— Troy Hunt (@troyhunt) December 6, 2021

Why Gravatar Scraping Occasion Is Necessary

Troy Hunt, the particular person behind the HaveIBeenPwned web site defined in a sequence of tweets why the Gravatar scraping occasion is vital.

Troy asserted that the information that customers entrusted to Gravatar was utilized in a means that was surprising.

Gravatar Consumer Belief Eroded

The argument of “properly, it is public knowledge anyway” is a view held by the minority. The overwhelming majority of folks persistently say “I did not anticipate my knowledge for use on this means and I am sad it is now on the market and being handed round on this format”.

— Troy Hunt (@troyhunt) December 6, 2021

What are you able to really do about it? Individuals typically request that the impacted service delete their knowledge. That clearly would not put the genie again within the bottle, but it surely’s an inexpensive motion as soon as belief is eroded.

— Troy Hunt (@troyhunt) December 6, 2021

Users Need Management Over Their Gravatar Data

Troy asserted that customers need to bear in mind of how their data is used and accessed.


Proceed Studying Under

On the very least, it is consciousness. I need to know – *most* folks need to know – when our private knowledge seems in locations we did not anticipate it to, and that is exactly what @haveibeenpwned does.

— Troy Hunt (@troyhunt) December 6, 2021

Had been Gravatar Users Pwned?

An argument could possibly be made {that a} Gravatar account may be public however not simply harvested as Step One of a hacking occasion by folks with malicious intent.

Gravatar asserted that after the enumeration assault vulnerability was disclosed that they took steps to shut it to stop additional downloading of consumer data.

So on the one hand Gravatar took steps to stop these with malicious intent from harvesting consumer data. However then again they mentioned reviews of Gravatar being hacked is misinformation.

However the truth is that HaveIBeenPwned didn’t name it a hacking occasion, they known as it a breach.

An argument could possibly be made that Gravatar’s use of the MD5 hash for storing e mail knowledge was insecure and the second hackers cracked the insecure encryption, the irregular scraping of “public data” turned a breach.


Proceed Studying Under

Many Gravatar customers aren’t notably joyful and are in search of solutions:

Will you be publishing this information in your web site?

Individuals who obtained the Gravatr discover from Have I been Pwned will go to your web site for the newest data.

I checked, there’s nothing in your web site.

Gravatar customers should not be compelled to contact help for solutions.

— Deborah Edwards-Oñoro (@redcrew) December 6, 2021


Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *