Gravatar data leak and Discourse: should our users be worried?

Several sources state that there was a leak on October 3, 2020, ​and people are talking about it just now.

I don’t know anything about this kind of stuff, as well as the actual data that was leaked (names and emails are mentioned, but people say only public data was leaked).

I wonder what exactly happened with this 2 years data leak, if it affects our users (considering Discourse uses Gravatar) and if they should be informed about that.

I’d appreciate any information :slight_smile:


Discourse uses gravatar just for avatars. The breach might mean that people who had access to the breached data could infer what someone’s discourse email address is.

Discourse doesn’t use gravatar for authentication, so it doesn’t take affect discourse.




In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars . 167 million names, usernames and MD5 hashes of email addresses used to reference users’ avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data.

Breach date: 3 October 2020
Date added to HIBP: 5 December 2021
Compromised accounts: 113,990,759
Compromised data: Email addresses, Names, Usernames

Looks like it took a year to crack most of the MD5 hashes. And no, it won’t affect your users.


Worth noting how exactly we use gravatar.

Sites such as Stack Overflow, hotlink to gravatar:

So… if my gravatar email leaks, people will trivially be able to connect the email I use at Stack Overflow with gravatar.

Gravatar usage at Discourse is very different, we do not hotlink to gravatar, we download a copy of the avatar and self host. We even resize the images ourselves.