Was Gravatar hacked or not? It depends on what you have read or what your definition of “hacked” is I suppose. The password breach monitoring service HaveIBeenPwned alerted users to a large-scale data leak by Gravatar, an add-on service for user profiles owned by Automattic.

In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing “globally unique avatars," HaveIBeenPwned warned. This technique allowed the details of just under 114 million users to get into hackers' hands.

Sarah Gooding over at WPTavern wrote that Automattic said they were not hacked. The Gravatar service gives you control over what you want to share online through their API.  So this information can be made public and somebody can scrape that data and use it nefariously. 

Jeff Chandler pointed out that this has been an issue since 2009 and shared the information from developer.it. Security researchers and privacy advocates have warned about privacy attacks on Gravatar for years.

Gravatar did not send out notices about the breach and left it to the user to accept the risk or use something other than Gravatar.

WordPress updates

There is a new directory for FSE block themes. Over on make.WordPress.org during the run-up to the release of 5.9 developers should note that the directory names for templates and template parts are being changed.  With the release of 5.9 these will instead be:

templates

parts

It's pretty straightforward.

Events

Ellen Bauer will be sharing a twitter space with Justin Mahinyala discussing #Freelance opportunities for developers, designers, writers, and marketers in the #WordPress ecosystem. They will share advice and tips on how to get started. DM any questions you want them to talk about.