Gravatar: Approx. 114 million user names and e-mail addresses floating in underground

Sicherheit (Pexels, allgemeine Nutzung)[German]Datasets containing the email addresses and usernames of approximately 114 million Gravatar users circulate in underground networks. The service uses an MD5 hash value for the globally unique URLs of the Gravatars, which encrypts the email addresses. However, the MD5 hash has long been crackable, so the data in question could be extracted from the MD5 hash values.


Advertising

What is Gravatar?

Gravatar is a service for providing globally unique avatars and was developed by Tom Preston-Werner. Since 2007 it has been owned by Automattic, the developer of the WordPress.com blogging platform, where Gravatar has been integrated. Users must sign up with their avatar to the free Gravatar platform. This allows users to be displayed with their avatar in WordPress comments. This is not used here on the blog, as I disabled this WordPress option in 2018 for GDPR reasons.

The Gravata data leak

I came across this information earlier in the night on Facebook in the WordPress forum. A member pointed out that Gravatar had had a security and privacy issue for a very long time. The German text says, that there is a Gravatar Leak, and the MD5 hashes used by Gravatar has been cracked. So Gravatar is a security and data protection issues since years.

Gravatar-Leak

Have I been pawned points out in a post a privacy incident from October 3, 2021. In 2020, someone pulled users' data from Gravatar. This data (email addresses, usernames) was hashed with MD5 – but that doesn't help much if the MD5 hash can be cracked. 

Gravatar

In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars . 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.

Anyone who has a Gravatar, their username and email address is now circulating in underground forums and could be abused for SPAM.


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *