In October 2020, a security researcher named Carlo Di Dato discovered a technique to exploit a vulnerability of the Gravatar online avatar service to collect data about its users. Although the available data was theoretically public, as Di Dato warned the community that “it’s unlikely users know their data can be accessed by querying Gravatar in a way which should not be possible."
Fast-forward to December 2021. HaveIBeenPwned revealed “167 million names, usernames and encrypted email addresses used to reference users’ avatars were scraped and distributed within the hacking community.” Just under 114 million, or 68% of the encrypted records, were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.
Gravatar is a service for providing globally unique avatars. Users can register an account based on their email address and upload a digital avatar to be associated with the account. Because Gravatar integrates with WordPress, GitHub and other platforms, the avatar is automatically displayed every time a user comments.
How does this affect you?
If you own a WordPress or GitHub account, you probably also have a Gravatar account, and your data was scraped in the leak. But there’s no reason to panic. While the situation isn’t ideal, the leaked data only includes names, usernames and email addresses. There’s no reason to believe passwords or other vital information were compromised.
Having said that, cybercriminals can still use the scraped data against you. For example, just by knowing your e-mail address, hackers can have a go at cracking your password. If your password is weak, or if it was reused on multiple accounts, your account can be easily hijacked.
Armed with just your name and e-mail address, scammers can cyberstalk you and target you with spam or spear-phishing. Unlike regular phishing, spear-phishing consists of compelling targeted messages, focused on a specific person of interest. Once “speared,” the victim is tricked into downloading malware or disclosing their password and financial data. Then the criminals take over.
Last but not least, hackers can link the scraped data with other personal information previously obtained on the Dark Web, build a complex digital profile and use your identity to commit fraud.
What can you do to stay safe?
Like it or not, data leaks happen all the time and changing our name or e-mail address isn’t an option, but we can take other steps to secure our accounts: