Gravatar “Breach” discloses 100M+ user data

A safety site emailed reports of a data breach influencing more than 100 million Gravatar users. Gravatar refuses to admit that someone hacked it. The defense alert corporation HaveIBeenPwned informed users that the data of 114 million users leaked online. The user data of every individual with a Gravatar profile was free to download utilizing the software.

The software can scrape the information. Technically it’s not a violation. Gravatar stored the user data and made it manageable for an individual with negative purposes. They collect user data which they will use as part of invasion to gain access and passwords.

Gravatar profiles are public data. Nonetheless, the personal user accounts are not recorded in a manner that anyone can effortlessly browse. Ordinarily, an individual would need to know profile data like the username. By this, the person can find the profile and all the publicly accessible data.

The Gravatar data was publicly accessible, but an outsider must notice the username of the user. The outsider can gain permission to the avatar user account. Also, they store the user’s email address in an insecure encrypted way. An MD5 hash is risky. Anyone can effortlessly unencrypt this. Stocking email addresses in the MD5 layout gives only minor safety protection.

Troy Hunt clarified in a series of tweets the reason why the avatar scraping incident is crucial. Troy affirms that the information was the default picture of the user. A profile is possibly public, but no one can effortlessly harvest it.

Gravatar affirmed that after the enumeration invasion, they disclosed defenselessness. It took efforts to shut it to stave off further downloading of user data. So, on the one hand, avatar took efforts to prevent those with negative purposes from harvesting user data. But on the contrary, they asserted that the Gravatar hack is misleading information.