Gravatar Data Breach
Gravatar Avatar Service API Scrape (2020): 49 Million User Profiles Including Names & Phone Numbers Enumerated
Global avatar service linked to email identities.
Risk Interpretation
Exposure can enable cross-site identity correlation, deanonymization, and phishing. Because the service links a profile across many properties, it can act as a bridge between pseudonymous and real identities.
Impact & Downstream Threats
In October 2020 a security researcher demonstrated a method to scrape Gravatar's public API at scale, harvesting profile data — including names, usernames, phone numbers, and email address associations — for tens of millions of users. Gravatar published an FAQ acknowledging the scraping and characterizing the data as public by design, arguing that the service was built to make profile information accessible across the web. The core tension the incident surfaced was whether systematic aggregation
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
Threat Vectors
Breach Intelligence
Executive Summary
Gravatar, the avatar service used across millions of websites and owned by Automattic, had data on approximately 114 million of its users scraped and distributed within hacking communities in October 2020. A security researcher demonstrated a technique for enumerating Gravatar's public API at scale, harvesting names, usernames, and email address references for around 167 million accounts. The email addresses were stored as MD5 hashes, a format that can be reversed. 114 million of those hashes were cracked, exposing the underlying email addresses alongside the associated profile data. The exposed data included names, usernames, and email addresses. For some users, phone numbers were also tied to their profiles, an unexpected exposure given that Gravatar is primarily thought of as an image-linking service. Because Gravatar is designed to connect a single email address to a profile displayed across many platforms, the scraped dataset can be used to link a person's activity across different sites, including those where they may have used a pseudonym or believed themselves to be anonymous. Gravatar published an FAQ after the incident, characterizing the scraped information as public by design, since the service was built to make profile data accessible across the web. No regulatory action or litigation specific to this incident has been documented. For affected users, the primary risk is identity correlation and targeted phishing. Anyone who used a consistent email address across platforms should be alert to the possibility that their online activity can be linked and their real identity inferred from the aggregated data.
About Gravatar
Gravatar is a globally recognized avatar service owned by Automattic, the company behind WordPress.com. The service links a user's email address to a profile image and publicly visible profile information, which is then displayed automatically across any website or platform that has integrated Gravatar. It was founded in 2004 and acquired by Automattic in 2007. Gravatar profile data is by design intended to be publicly associated with a user's email address across the web.
Why They Hold Your Data
Profile and identity-management services collect emails, usernames, avatar associations, profile metadata, and linked account information used to represent identities across websites.
Recent Developments
Gravatar continues to operate as part of the Automattic ecosystem. No major changes to the service have been publicly announced in the recent period. Its integration is embedded across millions of WordPress installations and third-party platforms globally.
Data Points Exposed
Canonical Fields
email_address, full_name, phone_number, username
Dark Web Verification
- Dataset containing ~49.7M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: gravatar.com-2020;Gravatar Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Gravatar
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam