Gravatar “Breach” Exposes Data of 100+ Million Users

The safety alert firm HaveIBeenPwned notified customers that the profile info of 114 million Gravatar customers had been leaked on-line in what they characterised as a knowledge breach. Gravatar denies that it was hacked.

Right here’s a screenshot of the e-mail that was despatched to HaveIBeenPwned customers that characterised the Gravatar occasion as a knowledge breach:


I hate getting emails from this man 😭

— Troy Hunt (@troyhunt) December 6, 2021

Gravatar Enumeration Vulnerability

The person info of each particular person with a Gravatar account was open to being downloaded utilizing software program that “scrapes” the info.


Proceed Studying Under

Whereas technically that’s not a breach, the style by which person info was saved by Gravatar made it simple for an individual with malicious intent to acquire person info which may then be used as half of one other assault to achieve passwords and entry.

Gravatar accounts are public info. Nonetheless the person person profile accounts will not be publicly listed in a manner that may simply be browsed. Ordinarily an individual must know account info just like the username as a way to discover the account and all of the publicly out there info.

A safety researcher found in late 2020 that Gravatar person account info was recorded in numerical order. A information report from the time described how the safety researcher peeked right into a JSON file linked within the profile web page revealed an ID quantity that corresponded to the numerical quantity assigned to that person.

The issue with that person identification quantity is that the profile might be reached with that quantity.


Proceed Studying Under

As a result of the quantity was not randomly generated however in numerical order, anybody wishing to entry the all of the Gravatar usernames may entry that info by requesting and scraping the person profiles in numerical order.

Data Scraping Occasion

An information breach is outlined as when an unauthorized particular person features entry to info that’s not publicly out there.

The Gravatar info was publicly out there however an outsider must know the username of the Gravatar person as a way to acquire entry to the Gravatar person profile. Moreover the e-mail handle of that person was saved in an insecure encrypted method (referred to as an MD5 hash).

An MD5 hash is insecure and might simply be unencrypted (also called cracked). Storing e mail addresses within the MD5 format offered solely minor safety safety.

That signifies that as soon as an attacker downloaded the usernames and the e-mail MD5 hash it was then a easy matter for the person’s e mail handle to be extracted.

In accordance with the safety researcher who initially found the username enumeration vulnerability, Gravatar solely had “nearly no charge limiting” which signifies that a scraper bot may request tens of millions of person profiles with out being stopped or challenged for suspicious conduct.

In accordance with the news report from October 2020 that initially divulged the vulnerability:

“Whereas knowledge offered by Gravatar customers on their profiles is already public, the straightforward person enumeration side of the service with nearly no charge limiting raises considerations with reference to the mass assortment of person knowledge.”

Gravatar Minimizes Consumer Data Assortment

Gravatar tweeted public statements that minimized the influence of the person info assortment.

Gravatar helps set up your identification on-line with an authenticated profile. We’re conscious of the dialog on-line that claims Gravatar was hacked, so we need to clear up the misinformation. (1/4)

— (@gravatar) December 6, 2021

Gravatar was not hacked. Our service provides you management over the info you need to share on-line. The information you select to share publicly is made out there by way of our API. Users can select to share their full identify, show identify, location, e mail handle, and a brief biography.

— (@gravatar) December 6, 2021


Proceed Studying Under

Final 12 months, a safety researcher scraped public Gravatar knowledge – usernames and MD5 hashes of e mail addresses used to reference customers’ avatars by abusing our API. We instantly patched the flexibility to reap the general public profile knowledge en masse. (3/4)

— (@gravatar) December 6, 2021

The last tweet within the collection from Gravatar inspired readers to find out how Gravatar works:

“If you wish to be taught extra about how Gravatar works or modify the info shared in your profile, please go to”

Mockingly, Gravatar linked to an insecure protocol of the URL, utilizing HTTP. Upon reaching the URL there was no redirect on Gravatar to a safe (HTTPS) model of the online web page, which solely undermined their efforts to challenge a way of safety.

Twitter Users React

One Twitter person objected to the use of the phrase “breach” as a result of the data was publicly out there.

I feel it was unfair of @troyhunt to categorise that as a breach. It was display screen scraping, they did not get something that wasn’t already publicly out there.

— Peter Morris #BlackLivesMatterToo (@MrPeterLMorris) December 6, 2021


Proceed Studying Under

The particular person behind the HaveIBeenPwned web site responded:

That’s why it says “scraped knowledge”. However you might additionally argue that “breach” is acceptable when the info is obtained and misused exterior the supposed scope with which it was offered.

— Troy Hunt (@troyhunt) December 6, 2021

Why Gravatar Scraping Occasion Is Necessary

Troy Hunt, the particular person behind the HaveIBeenPwned web site defined in a collection of tweets why the Gravatar scraping occasion is essential.

Troy asserted that the info that customers entrusted to Gravatar was utilized in a manner that was sudden.

Gravatar Consumer Belief Eroded

The argument of “nicely, it is public knowledge anyway” is a view held by the minority. The overwhelming majority of folks persistently say “I did not anticipate my knowledge for use on this manner and I am sad it is now on the market and being handed round on this format”.

— Troy Hunt (@troyhunt) December 6, 2021

What are you able to really do about it? Individuals usually request that the impacted service delete their knowledge. That clearly would not put the genie again within the bottle, but it surely’s an inexpensive motion as soon as belief is eroded.

— Troy Hunt (@troyhunt) December 6, 2021

Users Need Management Over Their Gravatar Data

Troy asserted that customers need to remember of how their info is used and accessed.


Proceed Studying Under

On the very least, it is consciousness. I need to know – *most* folks need to know – when our private knowledge seems in locations we did not anticipate it to, and that is exactly what @haveibeenpwned does.

— Troy Hunt (@troyhunt) December 6, 2021

Had been Gravatar Users Pwned?

An argument might be made {that a} Gravatar account could be public however not simply harvested as Step One of a hacking occasion by folks with malicious intent.

Gravatar asserted that after the enumeration assault vulnerability was disclosed that they took steps to shut it to forestall additional downloading of person info.

So on the one hand Gravatar took steps to forestall these with malicious intent from harvesting person info. However then again they stated reviews of Gravatar being hacked is misinformation.

However the truth is that HaveIBeenPwned didn’t name it a hacking occasion, they referred to as it a breach.

An argument might be made that Gravatar’s use of the MD5 hash for storing e mail knowledge was insecure and the second hackers cracked the insecure encryption, the irregular scraping of “public info” turned a breach.


Proceed Studying Under

Many Gravatar customers aren’t notably glad and are searching for solutions:

Will you be publishing this data in your website?

Individuals who obtained the Gravatr discover from Have I been Pwned will go to your website for the newest info.

I checked, there’s nothing in your website.

Gravatar customers should not be compelled to contact help for solutions.

— Deborah Edwards-Oñoro (@redcrew) December 6, 2021


Related Articles

Leave a Reply

Back to top button