Young man playing a mobile game, sitting forward on a couch in a living room

Gravatar insists it has not suffered a data breach after appearing on Have I Been Pwned?

Gravatar has denied falling victim to a data breach despite Have I Been Pwned, a popular data breach checking platform, suggesting it had been in a tweet on 5th December.

The Have I Been Pwned Twitter account posted: “New scraped data: Gravatar had 167M profiles scraped in Oct last year via an enumeration vector. 114M of the MD5 email address hashes were subsequently cracked and distributed alongside names and usernames. 72% were already in @haveibeenpwned.”

The tweet also referenced and linked to this October 2020 article, claiming Gravatar allowed mass collection of user information and data. The article from BleepingComputer featured Italian researcher Carlo Di Dato demonstrating the ease with which anyone could access user data.

Gravatar users receive notifications, but service denies a hack

The day after the Have I Been Pwned tweet, many Gravatar users who use the service and the popular Firefox Monitor received notifications their details had appeared in a new data breach.

Unsurprisingly, these notifications saw the BleepingComputer article shared by the Have I Been Pwned Twitter account receive significant views, and even prompted Gravatar to issue its denial it had fallen victim to a data breach.

Gravatar said: “Gravatar helps establish your identity online with an authenticated profile. We’re aware of the conversation online that claims Gravatar was hacked, so we want to clear up the misinformation.

“Gravatar was not hacked. Our service gives you control over the data you want to share online. The data you choose to share publicly is made available via our API. Users can choose to share their full name, display name, location, email address, and a short biography.

“Last year, a security researcher scraped public Gravatar data – usernames and MD5 hashes of email addresses used to reference users’ avatars by abusing our API. We immediately patched the ability to harvest the public profile data en masse. If you want to learn more about how Gravatar works or adjust the data shared on your profile, please visit Gravatar.com.”

In short and plain English, Gravatar says its users control what data it shares, so it does not consider this incident a data breach.

Was such an incident always coming?

Gravatar, which is used on many WordPress websites and platforms like GitHub and Stackoverflow, has faced several warnings about potential privacy attacks in recent years. Di Dato was far from the first or only security researcher to demonstrate how easy it is to scrape user information from the service.

Previous warnings include:

Gravatar users unhappy with explanation

Many Twitter users responded to Gravatar and raised issues with their explanation.

One, Christopher Forster, said: “That sounds like your data was accessed in a way you didn’t intend (if only there was a word for that), but you didn’t mean to be?”

Another, with the username RegGBlinker, said: “If someone is able to use an API for other than its intended purpose and can gather information which otherwise wouldn’t be available through “standard” means… it’s a breach.”

The question as to whether companies like Gravatar are the “victims” because they provide a service that has been abused or are complicit because they’ve done nothing about the potential for incidents like this will run and run.

Whatever side of the fence you sit on, it’s not particularly helpful for Gravatar to be trying to frame this as a matter of pedantry around what its services are and what policies mean. And blaming users never ends well.

What should users do next?

It’s the old adage about only sharing things you don’t mind everyone knowing, like what you probably already apply to your social media posts.

Gravatar can provide convenience for doing things online, but there are risks attached to it. So do what you need to do to minimise those risks to a level you’re comfortable with.


Get in Touch

Fill in the form below to tell us your details, and we’ll get started.