Gravatar data leak

Topic

New Reply

You may have seen in the news that the site that provides the icons/images for this site and other WordPress based sites has been involved in a breach
[See the full post at: Gravatar data leak]

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

ve2mrx, rontpxz81

Reply | Quote

Replies

There’s something more going on with this data. I got a notice from Troy Hunt’s Have I Been Pwned that an address of mine that I only use for personal communication (never for any kind of business) was in the data set. I had never even heard of this company until now and confirmed that I’ve never signed up for anything with them or even received an email from them. The address is in the form of firstname@firstnamelastname.com so they might have created a spam list of some kind that they never used, but it definitely didn’t come from me.

Reply | Quote

I also received an email from Have I Been Pwned and I have never heard of Gravatar either.

Reply | Quote

The last bit of advice about changing all the passwords periodically is a bit tough in practice. I have 336 passwords in my Keepass database. Early in the lock down I went through all of them to ensure they are all unique and complex, but it took me forever. I don’t think I could do that often, even if I could find the time to do so.

Chris
Win 10 Pro x64 Group A

Reply | Quote

I also use KeePass and have hundreds of entries. To be able to check all my passwords at once (saving me a ton of time!), I added a plugin called HIBPOfflineCheck that checks your passwords against the Have I Been Pwnd breach data. It can either do an online check or an offline check. To do an offline check you’ll need to download a large file from HIBP’s site. It’s faster – and I think more secure – than the online check so that’s what I use. I check monthly to see if a new breach file is available for download. After downloading, clear the previous check in KeePass using the entry under the “Tools” dropdown menu and run another check against the new data file. Takes no time at all.

https://keepass.info/plugins.html#breachchk

https://github.com/mihaifm/HIBPOfflineCheck

https://haveibeenpwned.com/Passwords  (scroll to the bottom of the page and download the “SHA-1 by hash” version)

 

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

3 users thanked author for this post.

SueW, Chris B, Rick Corbett

Reply | Quote

Should we change our Ask Woody website password?

Reply | Quote

Not specifically because of this, they didn’t scrape passwords, but if the askwoody password isn’t unique, I’d change it.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Woody published a blog warning about disclosing personal info into Gravatar in October 2020:
https://www.askwoody.com/2020/if-you-have-an-avatar-a-picture-here-on-askwoody-make-sure-gravatar-doesnt-have-any-personal-data/
‘Da Boss’ with finger on the pulse as usual..

Windows - commercial by definition and now function...

2 users thanked author for this post.

SueW, Alex5723

Reply | Quote