Gravatar data breach: affecting over 100 million users

Gravatar is one of the most well-known avatar websites in the world. The avatar set by the account created by the user here can be called for other websites without repeated settings. For example, WordPress supports the call of Gravatar avatars.

In fact, the Gravatar database was collected due to a vulnerability as early as October 2020. At that time, the database was traded on the dark web but did not attract much attention.

The main reason is that this database only contains the user’s registered email address, names, and usernames because Gravatar only needs these, so there is no private information at all except for the email address.

Firefox Monitor, a data breach monitoring platform of Mozilla, simply recorded this incident: the leaked Gravatar data only contained emails, names, and usernames.

Because there is no password and the password is not leaked, the user does not need to change the password. Moreover, even if the password is leaked, Gravatar will not cause potential threats.

However, it is recommended that users do not use repeated passwords, so as not to cause a more serious threat to all other websites due to the leakage of the password of one website.

The only threat to users is that they may receive various spam emails in the future because the database will definitely be used by spam gangs after it is widely circulated.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.