Gravatar, which is powered by the same company as WordPress has been reported to have one of the biggest data breaches in history.
As per BuiltWith, 6,358,273 websites use gravatar to offer avatar(Profile Image) services to their users.
Stats about the hacking
167 million names, usernames, and MD5 hashes of email addresses used to reference users’ avatars were subsequently scraped and distributed within the hacking community and dark web.
114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.
Back around 2020, security researched Carlo Di Dato demonstrated the flaw but Automatic, The company that powers gravatar and WordPress was ignorant.
Apart from WordPress, the website list also includes popular sites likes GitHub, Slack, StackOverflow, Disqus, P2, WordPress.com, wordpress.org, and many other popular websites that use gravatar for their service.
The hacked data was rotated so much that it has now reached Firefox and https://haveibeenpwned.com/. The users are being informed about the breach.
How this data can be used?
Your fake profiles in Secret groups: This data breach will also expose the identity of users hiding their identity on different sites with different names but the same email address.
Finding which Sites You use: The breached data can also be used to find one’s account on different sites.
Targetted advertising: As the footsteps will be clear, One can use these emails to do targetted advertising by sending bulk emails or even remarketing through Facebook and google remarketing.