2 min read

Gravatar Data Leak Exposed 167 Million Profiles. What Does it Mean for You?

Radu CRAHMALIUC

December 07, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Gravatar Data Leak Exposed 167 Million Profiles. What Does it Mean for You?

In October 2020, a security researcher named Carlo Di Dato discovered a technique to exploit a vulnerability of the Gravatar online avatar service to collect data about its users. Although the available data was theoretically public, as Di Dato warned the community that “it’s unlikely users know their data can be accessed by querying Gravatar in a way which should not be possible."

Fast-forward to December 2021. HaveIBeenPwned revealed “167 million names, usernames and encrypted email addresses used to reference users’ avatars were scraped and distributed within the hacking community.” Just under 114 million, or 68% of the encrypted records, were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.

Gravatar is a service for providing globally unique avatars. Users can register an account based on their email address and upload a digital avatar to be associated with the account. Because Gravatar integrates with WordPress, GitHub and other platforms, the avatar is automatically displayed every time a user comments.

How does this affect you?

If you own a WordPress or GitHub account, you probably also have a Gravatar account, and your data was scraped in the leak. But there’s no reason to panic. While the situation isn’t ideal, the leaked data only includes names, usernames and email addresses. There’s no reason to believe passwords or other vital information were compromised.

Having said that, cybercriminals can still use the scraped data against you. For example, just by knowing your e-mail address, hackers can have a go at cracking your password. If your password is weak, or if it was reused on multiple accounts, your account can be easily hijacked.

Armed with just your name and e-mail address, scammers can cyberstalk you and target you with spam or spear-phishing. Unlike regular phishing, spear-phishing consists of compelling targeted messages, focused on a specific person of interest. Once “speared,” the victim is tricked into downloading malware or disclosing their password and financial data. Then the criminals take over.

Last but not least, hackers can link the scraped data with other personal information previously obtained on the Dark Web, build a complex digital profile and use your identity to commit fraud.

What can you do to stay safe?

Like it or not, data leaks happen all the time and changing our name or e-mail address isn’t an option, but we can take other steps to secure our accounts:

  • always use a strong, unique password, preferably one that is random generated and securely stored in a password manager
  • never use the same password on multiple accounts and never reuse old passwords
  • if you have any reason to believe an account was compromised, change your password immediately
  • watch out for shady emails, especially e-mails that urge you to take immediate action, and don’t click on suspicious links
  • always double check the e-mail sender, even if the message seems to come from a reliable source
  • stay informed. Even though you can’t prevent data leaks, you can still mitigate the effects. Bitdefender Digital Identity Protection is a service that helps you monitor your digital footprint and informs you if any of your personal information have been leaked so you can take the right measures to secure your accounts and protect your identity.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Marketing lists for crypto customers stolen in data breach at marketing platform Klaviyo Marketing lists for crypto customers stolen in data breach at marketing platform Klaviyo
Alina BÎZGĂ

August 09, 2022

2 min read
What is medical identity theft and how to protect against it What is medical identity theft and how to protect against it
Alina BÎZGĂ

July 27, 2022

2 min read
SSNs, drivers’ licenses and government IDs exposed in Oklahoma City Housing Authority data breach SSNs, drivers’ licenses and government IDs exposed in Oklahoma City Housing Authority data breach
Alina BÎZGĂ

July 26, 2022

1 min read