Published: January 19, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Avatars can say a lot about an individual, but they can say a lot more when a popular company like Gravatar (Globally Recognized Avatar) gets breached. Everyone from celebrities, sports figures, gamers, social media users, and of course, everyday folks have avatars. But now, researcher Troy Hunt, the cybersecurity do-gooder behind the Have I been pwned website, recently found some data “scraped” from Gravatar’s platform actually exposed the data of nearly 114 million of their customers.
The vulnerability that led to the scraping was originally discovered in 2020. However, the types of information in the hands of bad actors may be more damaging than previously thought.
Gravatar’s Data Scraping Revealed
In 2020, a technique for scraping enormous amounts of data from Gravatar was published by a security researcher. Simply put, the term “data scraping” is defined as a system allowing a technology to extract data from a specific program or codebase. It’s exactly the flaw exposed in Gravatar’s system. The flaw allowed threat actors to scrape names, usernames, and email addresses of millions of Gravatar users and was then published among the hacking community. According to Hunt, this Gravatar breach revealed only names, emails, and usernames. Bad enough, but that’s not all we’ve learned.
We now know researcher Carlo Di Dato told Bleeping Computer that 2020’s Gravatar data scrape was much more serious than first believed. He claims much more data could be accessed, including other accounts linked to Gravatar users, their phone numbers, geographic location and even the addresses of their Bitcoin wallets. Di Dato claims it was Gravatar’s choice not to react to the findings that led him to make this flaw public.
Password Safety First!
As these flaws and resulting hacks grow daily, there are suggestions on how to avoid becoming the next victim. Should you have the Gravatar app on a device, delete it immediately if you’re not using it. If you choose to keep it, change the password, using letters, numbers, and special characters. If nothing else, a changed password presents another hurdle for bad actors to jump, and hopefully they’ll move on to an easier target. And of course, never share passwords – with anyone.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com