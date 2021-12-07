Gravatar, a platform for providing avatars, was the victim of a data leak recently, according to information from the Have I Been Pwned service. The site monitors access credentials leaks, through searches that check information such as registered email and telephone numbers. It is estimated that data from 114 million Gravatar users may be in the hands of hackers or cybercriminals.

According to the website, a security hole discovered in October 2020 allowed the scrapping of large amounts of data from Gravatar users. Later, this vulnerability was actually exploited, resulting in an alert. Gravatar is integrated with WordPress site accounts.

More than 114 million Gravatar users have leaked data online; understand — Photo: Pond5

The Have I Been Pwned alert also informs about user data leaks. By all appearances, 167 million names, usernames and MD5 hashes—the email address message-synthesizing algorithm used to reference users’ avatars—have been replicated and disseminated to the hacker community.

Troy Hunt, creator of Have I Been Pwned, posted a tweet on the subject last Sunday (5). In the publication, he claimed to be among the victims of the leak and demanded explanations from Gravatar. “My data are in Gravatar’s scrap (and were on LinkedIn). It’s not huge, but it’s still frustrating, and I want to know about it,” Hunt reported.

Hunt said he will not stop using the service, but that the platform needs to defend against scrapping (“scraping”, in free translation). The term names a technique that automates the collection of data on a website or web application and is often used to streamline consultation and collection on a public basis.

Troy Hunt comments on leaking his Gravatar data — Photo: Reproduction/Barbara Mannara

Bug testing and leaked data

The site Bleeping Computer published a demo of the Gravatar bug. They indicated that an additional method of accessing user data includes using a numeric ID associated with each profile to fetch data. This would allow any web crawler or bot to sequentially query the entire Gravatar database and thus collect public data very easily.

In tests carried out by the company, it can be confirmed that certain profiles have more public data than others. For example, BitCoin wallet addresses, phone numbers, location and more are displayed. According to Bleeping Computer, users who create public profiles on Gravatar consent to making this data publicly available.

Bleeping Computer tested with Gravatar's information leak bug — Photo: Disclosure/BleepingComputer

Although websites, services and social networks offer protection measures against hackers, no platform is completely safe from security breaches and scrapping. In the case of the latter, the user does not have much to do: it is necessary for the site to make security adjustments or update the privacy permissions.

To maintain data privacy, however, the user can follow some recommendations. Among them is not saving payment information. Although comfortable, this practice is dangerous, as the material can fall into the hands of cybercriminals in possible leaks.

It is also important to create strong passwords, avoiding the use of easily guessable keywords. Another tip is to turn on 2-step verification whenever possible to create an extra layer of protection.

