Last Friday, ZDNet reported about Canva’s data breach. Canva is a popular Sydney-based startup which offers a graphic design service. According to the hacker, who directly contacted ZDNet, data of roughly 139 million users has been compromised during the breach.
Responsible for the data breach is a hacker known as GnosticPlayers online. Since February this year, they have put up the data of 932 million users on sale, which are reportedly stolen from 44 companies around the world.
“I download everything up to May 17,” the hacker said to ZDNet. “They detected my breach and closed their database server.”
Source: ZDNet website
In a statement on the Canva website, the company confirmed the attack and has notified the relevant authorities. They also tweeted about the data breach on 24th May as soon as they discovered the hack and recommended their users to change their passwords immediately.
This morning we’ve been alerted to a security incident that enabled access to a number of usernames and email addresses. As soon as this happened, we remedied the issue and alerted the authorities. To be overly cautious, we’d recommend changing your password.
— Canva (@canva) May 25, 2019
“At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement said.
“On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).
“We’re aware that a number of our community’s usernames and email addresses have been accessed.”
Stolen data included details such as customer usernames, real names, email addresses, and city & country information. For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around. For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password. Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.
Canva is one of Australia’s biggest tech companies. Founded in 2012, since the launch, the site has shot up the Alexa website traffic rank, and has been ranking among the Top 200 popular websites.
Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world’s biggest free stock content sites — Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker.
According to reports from Business Insider, the community was dissatisfied with how Canva responded to the attack. IT consultant Dave Hall criticized the wording Canva used in a communication sent to users on Saturday. He believes Canva did not respond fast enough.
— Dave Hall (@skwashd) May 25, 2019
One Hacker News user commented , “It seems as though these breaches have limited effect on user behaviour. Perhaps I’m just being cynical but if you are aren’t getting access and you are just getting hashed passwords, do people even care? Does it even matter?
Of course names and contact details are not great. I get that. But will this even effect Canva?”
Another user says, “How is a design website having 189M users? This is astonishing more than the hack!”