Gravatar is fielding questions today after “Have I Been Pwned,” a data breech checker service, tweeted “New scraped data: Gravatar had 167M profiles scraped in Oct last year via an enumeration vector. 114M of the MD5 email address hashes were subsequently cracked and distributed alongside names and usernames.“ It claims 72% of these email addresses were already logged with the service.
The tweet referenced a BleepingComputer article from October 2020 titled, “Online avatar service Gravatar allows mass collection of user info,” which explains how the hashes were originally obtained. After Italian security researcher Carlo Di Dato was unable to get an answer from Gravatar, he demonstrated to the publication how one could access user data by using a numeric ID associated with each profile to fetch it. He then wrote a test script that sequentially visits profile URLs from IDs 1 to 5000 and said he was able to collect JSON data of the first 5000 Gravatar users with no issues.
Many Gravatar users were startled and upset by notices from Firefox Monitor and Have I Been Pwned this morning, stating that their information had appeared in a new data breach.
— Lundy (@simplyeazy) December 6, 2021
The BleepingComputer article has gained more attention after Have I Been Pwned’s disclosure today, spurring Gravatar to respond on Twitter:
Gravatar helps establish your identity online with an authenticated profile. We’re aware of the conversation online that claims Gravatar was hacked, so we want to clear up the misinformation.
Gravatar was not hacked. Our service gives you control over the data you want to share online. The data you choose to share publicly is made available via our API. Users can choose to share their full name, display name, location, email address, and a short biography.