In 2020, there was a security breach in Gravatar, a third-party service. This breach allowed unauthorized individuals to view the email addresses of users who used Gravatar, integrated into our services for setting up profile pictures on HypeDrop.
We want to stress that this breach is unrelated to HypeDrop, but rather Gravatar. However, a few users have received phishing messages and offers to 'buy accounts' to the email affiliated with their HypeDrop account.
This has happened because some users who were active in our chat had a specific hash on their gravatar image URL. Some exploiters decoded this image URL hash and cross-referenced it against an old email database. Because HypeDrop levels are public, they were able to email some users in relation to their HypeDrop accounts.
It is essential to clarify that this breach only exposed email addresses and levels by doing a crosscheck on the user's profile ID using the avatar hash, but did not expose any personal information pertaining to HypeDrop accounts as our own system is securely storing any information and this situation was caused by a third-party company previous email leak. Some users may have chosen to disclose their personal information, assuming they could sell their accounts discreetly. However, we want to emphasize that we are diligently documenting each such case and will take appropriate actions against anyone attempting to share their accounts.
What have we done?
We have removed Gravatar from HypeDrop now to prevent this from happening again in the future. We perform checks on all third-party services to ensure that your data is safe.
What should I do?
If you have been part of the breach and did not take certain precautionary steps in the first instance, we recommend that you;
- Enable the two steps authentication from your HypeDrop profile summary page.
- Avoid using identical passwords for multiple accounts and refrain from using old passwords.
- Always employ a robust, distinct password, preferably one that is randomly generated and securely managed through a password manager.
- If you suspect any compromise of your account, promptly update your password.
- Exercise caution when dealing with suspicious emails, particularly those prompting immediate action, and avoid clicking on dubious links.
- Verify the authenticity of the email sender, even if the message appears to be from a trusted source. In case of uncertainty, contact mailto:firstname.lastname@example.org.
- Decline offers to share or sell your profile information, as this is not only against our ToS but also exposes your information related to the account.
We understand that the security of your funds and personal data is of utmost importance to you, and it is equally important to us, so your personal data such as names, addresses and other information, also remains untouched and protected. Additional precautionary steps are always welcome, and we will continue improving and reviewing all the integrations we have with third-party apps to guarantee that your information remains safely stored.