Gravatar profile add-on leaks data on millions of users

By on
Gravatar profile add-on leaks data on millions of users

Details of just under 114 million users in hackers' hands.

Users who have signed up for password breach monitoring through the HaveIBeenPwned service are being alerted to a large-scale data leak by Gravatar, an add-on service for user profiles owned by Automattic, the company behind blogging platform WordPress.

"In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars," HaveIBeenPwned warned.

The researcher is Advantio penetration tester Carlo di Dato, who discovered it was possible to get and enumerate user profile data from Gravatar via the JSON data interchange format.

As a result of the vulnerability, "167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community," HaveIBeenPwned said.

Of the MD5 hashes, just under 114 million were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.

The operator of the HaveIBeenPwned password breach recording site, Troy Hunt, saw his data leaked by Gravatar.

Hunt said that he would not stop using Gravatar despite the leak.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?