Alleged Gravatar “Breach” Exposes 100+ Million Users’ Data

114 million Gravatar users received an email from the security alert company, HaveIBeenPwned, stating that their accounts have been exposed in what could be called a data breach. Gravatar, an online avatar service, denies ever being hacked, as Search Engine Journal reports. 

What Led to the Data Breach?

While officially, this leak cannot be classified as a data breach, it still compromises users’ privacy to an extent. The way Gravatar user information is stored made accessing data information on millions of users much easier for any person with malicious intent. This user information could be further used to hack the accounts and gain access to passwords. That part is not that difficult because most people use weak passwords, as hacking statistics show. The users’ information was publicly available. For someone to enter an account, however, they first needed to know the email and password of the user. But, since the email addresses were stored in an MD5 hash (not a very secure format) a hacker could easily get past the Gravatar security system.

Difference Between Data Scraping and Data Breach

A data breach or data leak happens when an unauthorized person gains access to information that in other ways is not publicly available, whereas data scraping happens when software is used to download public information from a website. In the email sent to its users by HaveIBeenPwned, the word breach is used, but the founder, Troy Hunt, explains in a tweet that it was a matter of templated wording, they were referring to data scraping as stated in the tweet. However, he states that it could be classified as a ‘breach’ if the information is misused. Gravatar, on the other hand, insists that this was not a breach. 

What Do the Users Expect From Gravatar?

Most users agree that they want more control of how their Gravatar information is used. Why is it important to know that? Well, because, as identity theft statistics show, 1 in 15 people are victims of identity theft. To prevent potential identity theft, users could decide to invest in tools used as protection against potential identity theft. At the very least, every user wants to know how their data would be used and how they can be accessed. It’s not that big a prize to pay for users’ trust.