Gravatar, the avatar availability platform, has been the victim of a data leak recently, according to information from the service I’ve been Pwned. The site monitors access credentials leak, with searches that verify information such as registered email and phone numbers. It is estimated that data from 114 million Gravatar users may be in the hands of hackers or cybercriminals.
According to the website, a vulnerability discovered in October 2020 allowed large amounts of data to be scraped from Gravatar users. Later, this vulnerability was already exploited, which triggered an alert. Gravatar integrated with site accounts WordPress.
Online data of more than 114 million Gravatar users has been leaked; Understanding – Photo: Pond5
Have you ever fallen victim to web viruses? Participate in the TechTudo Forum
The Have I Been Pwned alert informs about a user data leak. By all appearances, 167 million names, usernames, and MD5 hashes – the email address aggregation algorithm used to denote users’ avatars – have been replicated and posted to the hacker community.
Troy Hunt, creator of Have I Been Pwned, posted a tweet about it last Sunday (5). In the post, he claimed to be among the victims of the leak and demanded clarifications from Gravatar. My data is in the Gravatar snippet (and it was in LinkedIn). It’s not huge, but it’s still frustrating, and I want to know about it,” Hunt reported.
Hunt said he won’t stop using the service, but the platform needs to defend against it skimming (“Scraping”, in free translation). The term is called a technology that automates data collection on a website or web application and is often used to simplify consultation and collection on a general basis.
Troy Hunt comments on the Gravatar data leak – Image: clone/Barbara Manara
Bug testing and leaked data
Bleeping Computer has published a demo of the Gravatar bug. They noted that an additional method of accessing user data involves using a numeric identifier associated with each data fetching profile. This will allow any web crawler or bot to query the entire Gravatar database sequentially and thus collect public data very easily.
In the tests conducted by the company, it can be confirmed that some profiles have more public data than others. For example, BitCoin wallet addresses, phone numbers, location, and more are displayed. According to Bleeping Computer, users who create public profiles on Gravatar agree to make this data publicly available.
Bleeping Computer test with Gravatar information leakage error – Photo: Disclosure / BleepingComputer
Although websites, services, and social networks provide safeguards against hackers, no platform is completely safe from security breaches and data scraping. In the latter case, the user does not have much to do: it is necessary that the site make security modifications or update privacy permissions.
To maintain data privacy, the user can follow some recommendations. Among them is not saving payment information. Although this practice is convenient, it is also dangerous, as material can fall into the hands of cybercriminals in the event of possible leaks.
see also: How to unlock Android phone in safe mode
How to unlock Android phone in safe mode
“Beer Geek. The Evil Ninja of Pop Culture. Life Coffee Scholar. Professional Internet Teacher. Meat Teacher.”