Data privacy

Note regarding the report of a “breach” which was a misuse of our API:

Gravatar helps establish your identity online with a public profile. In October 2020, a security researcher scraped that public data – including usernames and MD5 hashes of email addresses used to reference users’ avatars – using our public API. The scraped data did not include any profile information beyond what was already publicly visible, but we did not intend for the API to be used in this way and so released an update the next day to prevent a recurrence.

While this incident was a misuse of our service, it was not a hack. No security protocols were breached.

Do I need to change my password?

No. No private data, including password hashes, were exposed.

Did Gravatar expose my email address?

Unless you explicitly opted to share your email address in your profile’s contact information, only an encoded version of your email was shared.

What information was collected from Gravatar?

Only the details shared in your public profile and an encoded version of your email address.

Below you will find answers to common questions about how Gravatar collects and uses your personal data. If you have any questions about Gravatar’s data handling or privacy practices, please contact our support team.

What personal information am I required to provide to use Gravatar?

In order to use Gravatar, you need a WordPress.com account, which requires an email address, username, and password. Your account email address is used to serve your profile image, if you provide one.

What personal data is publicly available when I use Gravatar?

  • The profile image(s) you upload to your account.
  • Any information you make public on your profile page.
  • The hash of your email address used to serve your profile image.

What is an email hash?

In this context, an email hash is a way to encode your email address so that sites that have enabled Gravatar services can display your chosen Gravatar on their site when you provide those sites with your email address. When a site uses Gravatar, it encodes your email address the same way, so only the hashes are compared. This enables the service to work without either site sharing email addresses.

Where can I learn more about Gravatar’s privacy practices?

Gravatar is a product of Automattic, Inc. and is covered by our privacy policy.

How do I avoid having personal data shared from Gravatar without my knowledge?

Gravatar is a service for creating a public profile that is consistent across Internet services and websites. By design it shares the information in your profile with all websites that utilize the Gravatar service. If you would prefer not to have a public, shared profile, there are several ways to reduce or eliminate the personal data you share via Gravatar.

  • You can edit your public profile to be sure you’ve only included information you are comfortable sharing.
  • If you no longer want your Gravatar image and profile data to be displayed you can follow the instructions on the Disable Account page. This will hide your profile and avatar image immediately, and they will be deleted after 30 days. Gravatar can be re-enabled later if desired, though deleted information will not be restored. You can also disable your Gravatar using the option to “Hide My Gravatar Profile” from the WordPress.com dashboard.
  • If you no longer need your Gravatar or WordPress.com account you can permanently close your account.

Why do I have a Gravatar account if I don’t remember creating one?

Gravatar utilizes WordPress.com accounts to sign in, so if you created an account with any of our other products that use WordPress.com accounts (such as WooCommerce or Akismet) then you also received a Gravatar account.

Why was my email on the list when it is not associated with a Gravatar/WordPress.com account?

It is possible to add secondary email addresses to your Gravatar account that aren’t themselves WordPress.com accounts. Your email address may have been a secondary email on another account.