Bellingcat: The Osint Gatekeepers Who Can't Secure Their Own Site
a day ago
- #Bellingcat
- #Cybersecurity
- #OSINT
- Bellingcat, a leading OSINT organization, was found to have exposed 173 Gravatar email hashes on their public WordPress sitemap.
- 89 of these hashes were cracked back into original email addresses, and 32 Gravatar profiles were harvested, revealing real names, locations, and social media accounts.
- The investigation was prompted by the author's unjust ban from Bellingcat's Discord for posting a gif, followed by an automatic crossban from affiliated OSINT communities.
- Bellingcat's ModMail bot requires visibility into all Discord servers a user has joined, posing a significant OPSEC risk for members.
- The organization failed to implement basic WordPress security measures, such as disabling author enumeration and stripping Gravatar hashes from sitemaps.
- Bellingcat's crossban system disproportionately affects users by propagating bans across multiple OSINT communities for minor infractions.
- The investigation highlights the irony of Bellingcat teaching OSINT methodologies while failing to secure their own data against such techniques.