• Gravatar data leak

    You may have seen in the news that the site that provides the icons/images for this site and other WordPress based sites has been involved in a breach. But as I read it, it’s not really a breach, but rather sloppy coding.

    Nothing breached. Someone found Gravatar is using sequential id’s with JSON based API, which means they can very easily get your publicly available data. Slightly easier than scraping the page. But nothing has leaked, everything that was/is available came under a notice that Gravatar would make those details publicly available. Nothing has leaked, just perhaps Gravatar shouldn’t have made it so easy to get details.

    That said, take the time during this holiday season to review your passwords and especially stop reusing passwords. One of the best proactive things you can do this holiday season is to make yourself a big mug of hot chocolate, sit down in front of your computer or iPad and review the passwords on ALL of your sites. Ensure that you change passwords to much longer and stronger versions of what you are currently using. Do not reuse passwords over and over again on different web sites, as all it takes is an attacker to gain access to one password in an account and the attacker will attempt to reuse it on other accounts. Even if you don’t reuse passwords over and over again, if you haven’t changed passwords in a while, it’s wise to update and revise them. Next look to see if you can add multi-factor authentication on sensitive accounts such as banking as well as email. Review your options for setting up multi-factor. Often you can set up services to trust a browser you use all the time and to send multi-factor prompts when you – or an attacker – tries to log in from a new location.

    Action items for 2022: Choose better passwords and add multi-factor wherever you can.