Data of more than 114 million Gravatar users leaked online | safety

• Six times Brazilians’ CPFs have been leaked online

According to the website, a vulnerability discovered in October 2020 allowed large amounts of data to be scraped from Gravatar users. Later, this vulnerability was already exploited, which triggered an alert. Gravatar integrated with site accounts WordPress.

Have you ever fallen victim to web viruses? Participate in the TechTudo Forum

The Have I Been Pwned alert informs about a user data leak. By all appearances, 167 million names, usernames, and MD5 hashes – the email address aggregation algorithm used to denote users’ avatars – have been replicated and posted to the hacker community.

Troy Hunt, creator of Have I Been Pwned, posted a tweet about it last Sunday (5). In the post, he claimed to be among the victims of the leak and demanded clarifications from Gravatar. My data is in the Gravatar snippet (and it was in LinkedIn). It’s not huge, but it’s still frustrating, and I want to know about it,” Hunt reported.

Hunt said he won’t stop using the service, but the platform needs to defend against it skimming (“Scraping”, in free translation). The term is called a technology that automates data collection on a website or web application and is often used to simplify consultation and collection on a general basis.

Bug testing and leaked data

Bleeping Computer has published a demo of the Gravatar bug. They noted that an additional method of accessing user data involves using a numeric identifier associated with each data fetching profile. This will allow any web crawler or bot to query the entire Gravatar database sequentially and thus collect public data very easily.

In the tests conducted by the company, it can be confirmed that some profiles have more public data than others. For example, BitCoin wallet addresses, phone numbers, location, and more are displayed. According to Bleeping Computer, users who create public profiles on Gravatar agree to make this data publicly available.

Although websites, services, and social networks provide safeguards against hackers, no platform is completely safe from security breaches and data scraping. In the latter case, the user does not have much to do: it is necessary that the site make security modifications or update privacy permissions.

To maintain data privacy, the user can follow some recommendations. Among them is not saving payment information. Although this practice is convenient, it is also dangerous, as material can fall into the hands of cybercriminals in the event of possible leaks.

It is also important. Create strong passwords, avoid or use Easy-to-guess keywords. Another tip is to turn on 2-step verification whenever possible to create an extra layer of protection.

see also: How to unlock Android phone in safe mode