Gravatar “Breach” Exposes Data of 100+ Million Users

Security site sent notices about a data breach to Gravatar’sGravatar’s over 100 million users. Gravatar claims it was not hacked.

HaveIBeenPwned, an alert company for security, informed users that the profiles of 114,000,000 Gravatar users were leaked online. This was what they called a data leak. Gravatar denied that it had been hacked.

Below is a screenshot of an email that HaveIBeenPwned users received. This email described the Gravatar event in terms of a data leak:

Gravatar Enumeration Vulnerability

Each Gravatar account user could download their data using software that “scrapes” them.

Technically, this is not a breach. However, Gravatar’sGravatar’s way of storing user information made it easy to get user information from someone with malicious intent. This information could then be used in another attack to gain access and passwords.

Gravatar accounts are publicly available. However, individual profile accounts of Gravatar users are not made public in a way that allows for easy browsing. Usually, to locate an invoice and all information publicly available, one would need account information such as the username.

In late 2020, a security researcher found that Gravatar’sGravatar’s user account information was in numerical order. According to a news report, the security researcher discovered that Gravatar user account information was numerical when he accessed the JSON file linked in the profile. This ID number corresponds to the numerical number assigned to that user.

That user identification number could lead to the profile being reached using that number.

Since the number was not randomly generated but in numerical sequence, anyone could access all Gravatar usernames by asking and scraping the user profiles numerically.

Data scraping event

A data breach occurs when an un-authorized individual gains access to information not publically available.

While the Gravatar information is publicly accessible, outsiders would have to identify the Gravatar user’s username to gain access. An MD5 hash was used to secure the user’s email address.

An MD5 hash, also known as cracked, is insecure. Storing email addresses in MD5 format offered minimal security protection.

It means that once an attacker downloaded the usernames and the email MD5 hash, it was easy to extract the user’s email address.

According to the safety researcher that discovered the vulnerability in username enumeration, Gravatar has “virtually none rate limiting.” This means that a scraper bot can request millions of user-profiles without being challenged or stopped.

Optimize Your Content With Keyword Intent Analysis Semrush’sSemrush’s keyword intention metric makes it easy to quickly align keywords with the right audience and create the right content.

The vulnerability was first disclosed in the news report dated October 2020

“While Gravatar users’ profiles are already publicly available, the Gravatar user enumeration function with virtually no rate limitation raises concerns regarding the mass collection of user information.”

Gravatar Minimizes User Data Collection

Gravatar posted public statements in which it minimized the impact on user information collection.

Gravatar is a website that helps you establish your identity online. We are aware that Gravatar has been accused of being hacked. We want to clarify this misinformation.

Gravatar was not hacked. You need control over what data you share online with our service. Our API allows you to make public any data that you wish. Our API allows users to share their full names, display names, locations, email addresses, and short biographies.

A security researcher found public Gravatar data. This includes usernames and MD5 hashes for email addresses. The information was used to reference avatars. We immediately corrected the issue with the mass harvesting of public profile data.

Gravatar’s Last Tweet inspired readers to find out more about Gravatar:

“If you want to grasp more about how Gravatar works/adjust the data shared on your profile, please visit”

Gravatar is linked with an insecure URL protocol using HTTP. Gravatar didn’t redirect the user to a secure URL version, so their efforts to project security were undermined.

Twitter Users React

One Twitter user objected that the word break was used because the information was public.

I believe it was unfair for @troyhunt to classify this as a breach. Screen scraping was used, but they didn’t obtain any information that wasn’t already public.

Peter Morris (@MrPeterLMorris), 

The creator of the HaveIBeenPwned website replied:

This is why the “scraped data” tag exists. But it would help if you also argued that “breach” is required when the information is obtained and misused outside the intended scope with which it was provided.

— Troy Hunt (@troyhunt)

Why Gravatar Scraping Events Are Important

Troy Hunt, who is behind HaveIBeenPwned, explained why Gravatar scraping is essential in a series of tweets.

Troy stated that Gravatar had used data users provided to it unanticipatedly.

Gravatar User Trust Founded

Only a minority holds the opinion that it is public data. The overwhelming majority of people say that they did not expect their data to be used in this manner and are unhappy that it is being spread around in this format.

— Troy Hunt (@troyhunt)

What can you do to fix it? Many individuals request that the impacted company delete their data. Although it doesn’t restore the genie from the bottle, it’s an appropriate action once trust has been lost.

— Troy Hunt (@troyhunt)

Users Want to Control Their Gravatar Information

Troy stated that users desire to be informed about how their information is used.

Were Gravatar Users Pwned?

It could be argued that Gravatar accounts are public but cannot be easily hacked as Step 1 of a hacking operation by persons with malicious intent.

Gravatar claimed that they had taken steps to close the vulnerability following disclosure of the enumeration attack vulnerability.

Gravatar took precautions to prevent malicious intent from harvesting user details. They also said that reports of Gravatar having been hacked were misinformation.

It is not a hacking incident. HaveIBeenPwned called it a breach.

It could be argued that Gravatar’sGravatar’s MD5 hash was not secure. Hackers cracked it, and abnormal “public data” scraping became a breach.

Many Gravatar customers are unhappy and looking for answers.

This information will you publish on your site?

Gravatar Notice from Has I Been Pwned was sent to all those notified. 

Gravatar users shouldn’t have to contact support for help. – Deborah Edwards Onoro (@redcrew).