2 min read

Gravatar Data Leak Exposed 167 Million Profiles. What Does it Mean for You?

Radu CRAHMALIUC

December 07, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Gravatar Data Leak Exposed 167 Million Profiles. What Does it Mean for You?

In October 2020, a security researcher named Carlo Di Dato discovered a technique to exploit a vulnerability of the Gravatar online avatar service to collect data about its users. Although the available data was theoretically public, as Di Dato warned the community that “it’s unlikely users know their data can be accessed by querying Gravatar in a way which should not be possible."

Fast-forward to December 2021. HaveIBeenPwned revealed “167 million names, usernames and encrypted email addresses used to reference users’ avatars were scraped and distributed within the hacking community.” Just under 114 million, or 68% of the encrypted records, were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.

Gravatar is a service for providing globally unique avatars. Users can register an account based on their email address and upload a digital avatar to be associated with the account. Because Gravatar integrates with WordPress, GitHub and other platforms, the avatar is automatically displayed every time a user comments.

How does this affect you?

If you own a WordPress or GitHub account, you probably also have a Gravatar account, and your data was scraped in the leak. But there’s no reason to panic. While the situation isn’t ideal, the leaked data only includes names, usernames and email addresses. There’s no reason to believe passwords or other vital information were compromised.

Having said that, cybercriminals can still use the scraped data against you. For example, just by knowing your e-mail address, hackers can have a go at cracking your password. If your password is weak, or if it was reused on multiple accounts, your account can be easily hijacked.

Armed with just your name and e-mail address, scammers can cyberstalk you and target you with spam or spear-phishing. Unlike regular phishing, spear-phishing consists of compelling targeted messages, focused on a specific person of interest. Once “speared,” the victim is tricked into downloading malware or disclosing their password and financial data. Then the criminals take over.

Last but not least, hackers can link the scraped data with other personal information previously obtained on the Dark Web, build a complex digital profile and use your identity to commit fraud.

What can you do to stay safe?

Like it or not, data leaks happen all the time and changing our name or e-mail address isn’t an option, but we can take other steps to secure our accounts:

  • always use a strong, unique password, preferably one that is random generated and securely stored in a password manager
  • never use the same password on multiple accounts and never reuse old passwords
  • if you have any reason to believe an account was compromised, change your password immediately
  • watch out for shady emails, especially e-mails that urge you to take immediate action, and don’t click on suspicious links
  • always double check the e-mail sender, even if the message seems to come from a reliable source
  • stay informed. Even though you can’t prevent data leaks, you can still mitigate the effects. Bitdefender Digital Identity Protection is a service that helps you monitor your digital footprint and informs you if any of your personal information have been leaked so you can take the right measures to secure your accounts and protect your identity.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Threat actor publicly shares stolen data of 5.4 million Twitter users Threat actor publicly shares stolen data of 5.4 million Twitter users
Alina BÎZGĂ

November 28, 2022

3 min read
500 million WhatsApp mobile phone numbers are up for grabs on the dark web 500 million WhatsApp mobile phone numbers are up for grabs on the dark web
Alina BÎZGĂ

November 25, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip How to monitor your online privacy during your Thanksgiving trip
Alina BÎZGĂ

November 22, 2022

3 min read