Gravatar is a popular service for providing globally unique avatars. Key idea behind the product is to enable association of a digital avatar with the email of an account holder. Because Gravatar integrates with WordPress, GitHub and other platforms, the avatar is automatically displayed whenever user interacts on a website of interest or leaves a comment.
In October 2020, a security researcher named Carlo Di Dato discovered a technique to exploit a vulnerability of the Gravatar service to collect data about its users. Although the available data was theoretically public, Di Dato warned the community that “it’s unlikely users know their data can be accessed by querying Gravatar in a way which should not be possible.”
Indeed, cyber criminals didn’t miss the chance of exploiting the very same vulnerability of a website.
In December 2021, Kaduu Team has discovered the so-called “scrap” file related to Gravatar service. 167 million names, usernames and encrypted email addresses used to reference users’ avatars were scraped and freely distributed in underground hacking forums. Earlier this month we have discovered as well a decrypted version of this data leak containing emails in a human-readable format.
Even though this data breach does not contain passwords, we would like to warn users about phishing. Once hackers have name and an email of a user in their hands, they try and send malicious emails.
Stay vigilant and cyber safe!