The site relies on a series of design decisions made by the developers of WordPress and Gravatar. In newer versions of WordPress, a list of all users who have posted content is publicly available. The information about these users includes their display names, their usernames, and their “Gravatar.”
Gravatar is a service that can provide a unique avatar for each email address. They’re used by sites like Stack Overflow, Discourse, and thousands of other forums and blogs that include commenting systems.
Unfortunately, the standard implementation exposes a “hash” of the user’s email address in the Gravatar URL. In some cases, this makes it easy to reveal the actual email address of the user attached to a Gravatar. These Gravatars are also automatically created for users, and the hashed email address is available even if they’ve never created an account with Gravatar.
Because of the system’s fundamental design, all Gravatars are vulnerable to a persistent person with a beefy GPU and a copy of Hashcat. This site has a relatively small list of emails and their associated hashes, so you’ll likely find that 10%-25% of the Gravatars are reversible.
Here's a short reading list on Gravatar's privacy issues:
Not all websites are vulnerable to this tool. For it to work, a site must:
If you maintain a WordPress-based website: