HaveIBeenPwned, a website that allows users to check if their data has found its way to the Dark Web, recently notified its clients about a Gravatar data breach in October 2020, which left more than 114 million profiles exposed. Other companies have sent out similar notifications to their clients. Gravatar denies any data breach.
Gravatar Claims the Scraped Data Was Already Public
Since the scraped data was public, Gravatar claims that the incident can’t be characterized as a breach. Many of the users disagree. The general feeling is a disappointment by how easy hackers could collect user data from more than 114 million people, making it one of the biggest data breaches recorded.
What happened is not technically a breach since no confidential data had leaked. But, the company made it easy for hackers to find and scrape data which they can later use to gain personal information. In other words, this was not an armed robbery but ammo shopping for one.
There Are Significant Security Flaws in the Way Gravatar Stores User Data
Even though Gravatar accounts are public information, the individual user profile accounts are not publicly listed. You won’t run into them by accident. And that gave users some sense of security and anonymity. You would have to type in a username or user number to find a specific Gravatar profile. But, it turns out that once you know one user ID number, you can find all of them.
The company has several security flaws in its identity theft protection setup. Firstly, it doesn’t assign randomly generated numbers to users – user account information is recorded in numerical order. For instance, If the first user is 001, the next will be 002, and so on. If you know one username identification number, you can quickly obtain user ID numbers for every single Gravatar client.
Another security flaw is that the email addresses are stored in an outdated and compromised MD5 hash encryption format. That is far below modern standards for encryption software.
Gravatar also has no rate limiting. This means that a scraper software could request millions of user profiles without raising any alarm.
Gravatar Claims the Issues Are Fixed
Gravatar has released a statement on Twitter, saying the issues that enabled this data scraping incident in October 2020 were all addressed and fixed.
The company also called its users to get better acquainted with safety features by visiting its homepage. Unfortunately, the destination URL was HTTP, not HTTPS (secure version).