Gravatar “Breach” Exposes Information of 100+ Million Customers

The safety alert firm HaveIBeenPwned notified customers that the profile info of 114 million Gravatar customers had been leaked on-line in what they characterised as a knowledge breach. Gravatar denies that it was hacked.

Right here’s a screenshot of the e-mail that was despatched to HaveIBeenPwned customers that characterised the Gravatar occasion as a knowledge breach:


Gravatar Breach

Gravatar Enumeration Vulnerability

The person info of each individual with a Gravatar account was open to being downloaded utilizing software program that “scrapes” the information.


Proceed Studying Under

Whereas technically that’s not a breach, the style by which person info was saved by Gravatar made it simple for an individual with malicious intent to acquire person info which may then be used as a part of one other assault to achieve passwords and entry.

Gravatar accounts are public info. Nonetheless the person person profile accounts should not publicly listed in a approach that may simply be browsed. Ordinarily an individual must know account info just like the username with a purpose to discover the account and all of the publicly out there info.

A safety researcher found in late 2020 that Gravatar person account info was recorded in numerical order. A information report from the time described how the safety researcher peeked right into a JSON file linked within the profile web page revealed an ID quantity that corresponded to the numerical quantity assigned to that person.

The issue with that person identification quantity is that the profile might be reached with that quantity.


Proceed Studying Under

As a result of the quantity was not randomly generated however in numerical order, anybody wishing to entry the the entire Gravatar usernames may entry that info by requesting and scraping the person profiles in numerical order.

Information Scraping Occasion

A knowledge breach is outlined as when an unauthorized individual features entry to info that’s not publicly out there.

The Gravatar info was publicly out there however an outsider must know the username of the Gravatar person with a purpose to achieve entry to the Gravatar person profile. Moreover the e-mail deal with of that person was saved in an insecure encrypted method (referred to as an MD5 hash).

An MD5 hash is insecure and may simply be unencrypted (often known as cracked). Storing e-mail addresses within the MD5 format offered solely minor safety safety.

That signifies that as soon as an attacker downloaded the usernames and the e-mail MD5 hash it was then a easy matter for the person’s e-mail deal with to be extracted.

In accordance with the safety researcher who initially found the username enumeration vulnerability, Gravatar solely had “nearly no price limiting” which signifies that a scraper bot may request thousands and thousands of person profiles with out being stopped or challenged for suspicious habits.

In accordance with the information report from October 2020 that initially divulged the vulnerability:

“Whereas knowledge offered by Gravatar customers on their profiles is already public, the straightforward person enumeration side of the service with nearly no price limiting raises considerations as regards to the mass assortment of person knowledge.”

Gravatar Minimizes Consumer Information Assortment

Gravatar tweeted public statements that minimized the affect of the person info assortment.


Proceed Studying Under

The final tweet within the sequence from Gravatar inspired readers to learn the way Gravatar works:

“If you wish to study extra about how Gravatar works or modify the information shared in your profile, please go to”

Paradoxically, Gravatar linked to an insecure protocol of the URL, utilizing HTTP. Upon reaching the URL there was no redirect on Gravatar to a safe (HTTPS) model of the net web page, which solely undermined their efforts to undertaking a way of safety.

Twitter Customers React

One Twitter person objected to the usage of the phrase “breach” as a result of the data was publicly out there.


Proceed Studying Under

The individual behind the HaveIBeenPwned web site responded:

Why Gravatar Scraping Occasion Is Vital

Troy Hunt, the individual behind the HaveIBeenPwned web site defined in a sequence of tweets why the Gravatar scraping occasion is necessary.

Troy asserted that the information that customers entrusted to Gravatar was utilized in a approach that was sudden.

Gravatar Consumer Belief Eroded

Customers Need Management Over Their Gravatar Data

Troy asserted that customers need to pay attention to how their info is used and accessed.


Proceed Studying Under

Have been Gravatar Customers Pwned?

An argument might be made {that a} Gravatar account might be public however not simply harvested as Step One in every of a hacking occasion by folks with malicious intent.

Gravatar asserted that after the enumeration assault vulnerability was disclosed that they took steps to shut it to forestall additional downloading of person info.

So on the one hand Gravatar took steps to forestall these with malicious intent from harvesting person info. However however they stated studies of Gravatar being hacked is misinformation.

However the reality is that HaveIBeenPwned didn’t name it a hacking occasion, they referred to as it a breach.

An argument might be made that Gravatar’s use of the MD5 hash for storing e-mail knowledge was insecure and the second hackers cracked the insecure encryption, the irregular scraping of “public info” turned a breach.


Proceed Studying Under

Many Gravatar customers aren’t significantly completely happy and are searching for solutions:


Leave a Comment