What happened
According to public breach records, the Gravatar data breach on October 3, 2020 is reported to have exposed the personal information of 113,990,759 accounts.
In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars . 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data. Following the impacted email addresses being searchable in HIBP, Gravatar release an FAQ detailing the incident.
Passwords in this breach were reportedly stored as MD5 hashes.
In October 2020, a security researcher published a technique for scraping large volumes of profile data from Gravatar, the globally-recognized-avatar service: because Gravatar assigned user profiles sequentially and applied virtually no rate limiting, profiles could be enumerated and harvested in numerical order at scale. Roughly 167 million names, usernames, and MD5 hashes of email addresses were scraped and circulated; about 114 million of those MD5 hashes were subsequently cracked and distributed alongside the source hashes, disclosing the original email addresses. What made it notable is that the exposure stemmed from how publicly-reachable profile data could be systematically enumerated rather than from a server intrusion, and no passwords were reported as exposed. In October 2020, a security researcher published a technique for scraping large volumes of profile data from Gravatar, the globally-recognized-avatar service: because Gravatar assigned user profiles sequentially and applied virtually no rate limiting, profiles could be enumerated and harvested in numerical order at scale. Roughly 167 million names, usernames, and MD5 hashes of email addresses were scraped and circulated, and about 114 million of those MD5 hashes were subsequently cracked and distributed alongside the source hashes, disclosing the original email addresses. What made it notable is that the exposure stemmed from how publicly-reachable profile data could be systematically enumerated rather than from a server intrusion, and no passwords were reported as exposed.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Names
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | Gravatar |
| Date | October 3, 2020 |
| Accounts affected | 113,990,759 |
| Domain | gravatar.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Gravatar; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Treat your Gravatar-linked email address as publicly known and tied to your name and username — be alert for targeted phishing and spoofed messages that reference these real details to appear legitimate.
- Because emails were leaked alongside names and usernames, watch for credential-stuffing attempts on accounts that reuse this email; ensure each important account uses a unique password and enable two-factor authentication.
- Avoid clicking links or attachments in unexpected emails that address you by your real name, and verify any account or security notice by navigating to the service directly rather than via emailed links.
- Consider using email aliases or filtering for the exposed address to contain spam and reduce the impact of being included in future combolists.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: Gravatar Data Breach
- Gravatar "Breach" Exposes Data of 100+ Million Users — Search Engine Journal
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →