What Happened
In October 2020, Gravatar, a service providing globally unique avatars linked to email addresses and used across platforms like WordPress and GitHub, suffered a large-scale data scraping incident rather than a traditional hack, where attackers exploited its public API—following a technique published by security researcher Carlo Di Dato—to harvest up to 167 million user profiles containing names, usernames, MD5-hashed email addresses (with 114 million cracked to reveal plaintext emails), profile URLs, locations, phone numbers, and other public details, resulting in nearly 49 million unique records circulated in hacker communities. No passwords were compromised, but the exposure raised phishing and identity-linking risks, prompting Gravatar to issue an FAQ and users to check services like Have I Been Pwned.
