Cannot log in; changed password after Gravatar data breach, now stuck in login loop

  • adh1003 · Member ·

    After the Gravatar / WordPress data breach I logged in and changed my password. This seemed OK. I copied the password *from* a text file to make sure I didn’t have any typos. I signed out, then tried to sign back in.

    At both wordpress.com or gravatar.com, I type in ‘[REDACTED]’ as the e-mail address and provide the new password. This appears to be accepted and correct, however, I’m then taken to a page that says:

    ‘Sign in to Gravatar with WordPress.com Connect

    Gravatar now allows you to use a WordPress.com account to sign in. If you have a WordPress.com account already then you can use that, or you can create a new one.’

    This doesn’t work. If I click on the button, I just get the same page again. I also used the sign-in form to send me a login link at my e-mail address, and again, got the same result.

    I appear to be completely locked out, despite having entirely correct login credentials, all because I changed my password at wordpress.com.

    What on earth is going on?!

    WP.com: Yes
    Correct account: Unknown

  • aleone89 · Staff ·

    Hello there,

    Many thanks for reaching out.

    After the Gravatar / WordPress data breach I logged in and changed my password. This seemed OK. I copied the password *from* a text file to make sure I didn’t have any typos. I signed out, then tried to sign back in.

    Just to offer reassurance, Gravatar was not hacked instead a security researcher scraped public Gravatar data – usernames and MD5 hashes of email addresses used to reference users’ avatars by abusing our API. We immediately patched the ability to harvest the public profile data en masse.

    This doesn’t work. If I click on the button, I just get the same page again.

    I’d just like to clarify the behaviour you’re seeing there, are you clicking this button and nothing is happening – are you seeing any error messages at all?

    Also, are you able to confirm if resetting the password here: https://wordpress.com/wp-login.php?action=lostpassword – solves the issue?

    Many thanks.

  • jonathanduke · Member ·

    I’m seeing the same thing. I heard about the data breach and went to gravatar.com and logged in with my username/password. I went to change the password, and it redirected me to WordPress to do that, and after I changed the password, Gravatar gets stuck in the login loop.

    If I log out of WordPress, it does give me the login form on Gravatar, but after putting in my credentials, it still takes me to the “Sign in to Gravatar with WordPress.com Connect” page. Clicking on “Sign in with WordPress.com” seems to go through a bunch of URL redirects for an OAuth process (connect, authorize, request_access_token) and then it tries to go to https://gravatar.com/emails/ and gets redirected back to the login page.

  • jonathanduke · Member ·

    Update: it seems to be working correctly at this time

  • adh1003 · Member ·

    Thanks. It’s good to know it wasn’t just some weird problem with only my account or, y’know, just general insanity on my part!

    It does also seem to be working for me now too.

  • adh1003 · Member ·

    (Marking as resolved)

  • staff-heroponriki · Staff ·

    Glad to hear you both were able to sort this out. Let us know if you still have trouble or need help with anything else.

  • The topic ‘Cannot log in; changed password after Gravatar data breach, now stuck in login loop’ is closed to new replies.