Gravatar 2020 Data Breach

Gravatar Avatar Service API Scrape (2020): 49 Million User Profiles Including Names & Phone Numbers Enumerated | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Data ScrapingIdentityEmail AddressFull NamePhone NumberUsername
Low SeverityWebsite / service breach

Gravatar Avatar Service API Scrape (2020): 49 Million User Profiles Including Names & Phone Numbers Enumerated

Global avatar service linked to email identities.

Verified by ObscureIQ Intelligence
17/100Breach Risk Index
3Data Value
25Market Recency
512dSince Breach

Breach Intelligence Summary

Entity: Gravatar · Actor: Unknown · Sources: 5 references
Attack: Data Scraping
Profile: Platform · Avatar and identity services · Profile and identity management service · Global
Timeline: Breach (2020-10-03) · Indexed (Dec 01, 2024) · Year (2020)
Exposure: 49.7M records · 4 fields: Email Address, Full Name, Phone Number, Username
Status: Confirmed

Executive Summary

Gravatar, the avatar service used across millions of websites and owned by Automattic, had data on approximately 114 million of its users scraped and distributed within hacking communities in October 2020. A security researcher demonstrated a technique for enumerating Gravatar's public API at scale, harvesting names, usernames, and email address references for around 167 million accounts. The email addresses were stored as MD5 hashes, a format that can be reversed. 114 million of those hashes were cracked, exposing the underlying email addresses alongside the associated profile data. The exposed data included names, usernames, and email addresses. For some users, phone numbers were also tied to their profiles, an unexpected exposure given that Gravatar is primarily thought of as an image-linking service. Because Gravatar is designed to connect a single email address to a profile displayed across many platforms, the scraped dataset can be used to link a person's activity across different sites, including those where they may have used a pseudonym or believed themselves to be anonymous. Gravatar published an FAQ after the incident, characterizing the scraped information as public by design, since the service was built to make profile data accessible across the web. No regulatory action or litigation specific to this incident has been documented. For affected users, the primary risk is identity correlation and targeted phishing. Anyone who used a consistent email address across platforms should be alert to the possibility that their online activity can be linked and their real identity inferred from the aggregated data.

ObscureIQ assessment: Exposure can enable cross-site identity correlation, deanonymization, and phishing. Because the service links a profile across many properties, it can act as a bridge between pseudonymous and real identities.

Breach Impact

In October 2020 a security researcher demonstrated a method to scrape Gravatar's public API at scale, harvesting profile data — including names, usernames, phone numbers, and email address associations — for tens of millions of users. Gravatar published an FAQ acknowledging the scraping and characterizing the data as public by design, arguing that the service was built to make profile information accessible across the web. The core tension the incident surfaced was whether systematic aggregation of intentionally public data at scale constitutes a privacy harm. No regulatory action or litigation specific to this incident has been documented. The dataset was distributed within hacking communities despite the public nature of the underlying data.

About Gravatar

Gravatar is a globally recognized avatar service owned by Automattic, the company behind WordPress.com. The service links a user's email address to a profile image and publicly visible profile information, which is then displayed automatically across any website or platform that has integrated Gravatar. It was founded in 2004 and acquired by Automattic in 2007. Gravatar profile data is by design intended to be publicly associated with a user's email address across the web.

Why They Hold Your Data

Profile and identity-management services collect emails, usernames, avatar associations, profile metadata, and linked account information used to represent identities across websites.

Recent Developments

Gravatar continues to operate as part of the Automattic ecosystem. No major changes to the service have been publicly announced in the recent period. Its integration is embedded across millions of WordPress installations and third-party platforms globally.

Data Points Exposed

4 verified field types
Email Address
Full Name High
Phone Number
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • SIM swapping, vishing & SMS phishing
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Gravatar breach?

Gravatar, the avatar service used across millions of websites and owned by Automattic, had data on approximately 114 million of its users scraped and distributed within hacking communities in October 2020. A security researcher demonstrated a technique for enumerating Gravatar's public API at…

What data was exposed?

Verified fields include Email Address, Full Name, Phone Number, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation