Enlarge image
Computer crime (symbol image): data from tens of millions of users is available on the Internet
Photo: imago stock & people / imago / Michael Weber
For many people, the week began with a warning: "You've been pwned," it says in emails that were sent in the morning by the operators of the Have I Been Pwnd service to a number of subscribers to their service. The respective email account to which the warning was sent was affected by a data leak at Gravatar - as were 113,990,759 other accounts.
This may have caused confusion for some addressees.
Gravatar is a service that makes it possible to use profile pictures on different websites.
But even if Gravatar manages the data of millions of users, you don't necessarily have to be aware of the company.
The company belongs to the Automattic group, whose best-known product is probably the blogging software Wordpress, in which Gravatar is integrated.
Gravatar also cites the programming portal GitHub and the chat service Slack as customers.
Anyone who has created an account including a profile picture on one of these pages or on a page created with Wordpress on which the feature was activated could be affected by the data leak.
Warning in October 2020
According to Have I Been Pwnd, the incident goes back to a technique that security expert Carlo Di Dato demonstrated more than a year ago. As the online magazine »Bleepingcomputer« reported at the time, he had found out that you can use a so-called scraping method to access data from Gravatar on a large scale. This is basically publicly available data. The IT security company G Data warns, however, that massively accumulated user data, as in this case, can be used by cyber criminals for phishing attacks and attempted fraud.
When checking the method described by Di Dato, "Bleepingcomputer" found that some data records also contained information about Bitcoin wallets, telephone numbers and location data of the respective users.
The editors had warned at the time: "This is problematic because every web crawler or bot can now query practically the entire Gravatar database and, thanks to this little-known, but effective technology, can very easily access public user data."
Warnings in subscription
That is exactly what has now apparently happened. According to Have I Been Pwnd, strangers were able to download the email addresses, usernames and so-called MD5 hashes - encrypted data packets - from 164 million Gravatar accounts. These MD5 hashes were decrypted from 114 million of these data records and distributed online together with the original data. The Have I Been Pwnd service states that the corresponding database includes email addresses, names and usernames.
Services such as Have I Been Pwnd and the Identity Leak Checker of the Potsdam Hasso Plattner Institute provide information about the known data leaks in which you have already appeared with your log-in data.
While you can actively research whether certain email addresses appear in data leaks with both, there is also the option of being actively informed as soon as one of the personal addresses appears in a new leak with the US offer.
mak