What You Need to Know About Canva Data Breach

  • By David Lukic
  • Published: Nov 02, 2021
  • Last Updated: Mar 18, 2022

Popular Australian-based graphic design platform Canva suffered a major data breach, which cost them 139 million user records along with a heaping pile of bad press.


ZDNet was contacted on May 24th, 2020, by a hacker named GnosticPlayers who took credit for the breach and claimed that along with Canva, he or she had made off with more than 1 billion user credentials. The information purportedly stolen was usernames, names, email addresses, city, and country data. This particular hacker or hacker group is quite prominent and responsible for posting 932 million users’ data on the dark web.

ZDNet contacted Canva to report the breach after validating it through a sample of the stolen data. Canva responded via email with, “Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses.” They went on to reassure with, “We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution. We will continue to communicate with our community as we learn more about the situation.”

As a result of this data breach, 78 million users’ Gmail addresses were exposed through this single incident. Canva vehemently defends their position by stating that their passwords use Bcrypt security and would be nearly impossible for hackers to crack each person’s password. The passwords were also salted (additional characters added to each one). However, only 61 million of the 139 users had salted passwords encrypted using Bcrypt. The others logged in using Google tokens (Gmail).

Canva has been in business since 2012 and quickly rose to the top in terms of website traffic. They provide free and paid accounts where users can create websites, graphic design elements, and other content. They also partnered with two free stock content providers (Pexels and Pixabay), offering a vast library of stunning artwork to customers. Canva is currently valued at $2.5 billion, so although this data breach was a slight bruise to their ego, they will come back swinging.
Cana data breach

When Was The Canva Data Breach?

The actual data breach occurred on May 24, 2019. The hacker responsible, GnosticPlayers, told ZDNet that they “download everything up to May 17.” At that point, the breach was detected, and Canva closed the server. The same hacker reported it to ZDNet shortly after being shut down.

As a follow-up, on January 17, 2020, Canva posted an update that, as of January 11, 2020, they found out that at least 4 million user accounts breached did, in fact, include decrypted passwords. They urge all users to change their passwords immediately and if you reuse those account credentials elsewhere, immediately change them to avoid unauthorized access to your other website services.

On January 12th, Canva automatically reset passwords that were not changed and notified users.

How To Find Out Your Data Breach

You can contact Canva via email at (contact@canva.com) to ask about your account at any time. If you were involved in the breach, you should have received notification directly from Canva by now. If not, you can use third-party websites to check to see if any of your data shows up on the dark web from this breach or any others. Other immediate actions to take are:

● Just to be safe, change your passwords for logins associated with banks and credit cards.
● Sign up for credit monitoring with a good company like IDStrong.com.
● Run a full scan of your computer to ensure you were not scammed or infected with a virus or malware.
How to find out your data breach

What To Do After Data Breach

Canva has reassured all users that none of their payment information was collected or accessed in the data breach. However, as we now know, passwords were decrypted for at least 4 million users. If you were involved in this data breach, immediately change your password, if it wasn’t already. If you reuse your Canva username, email, or passwords anywhere else, change those as well on other websites to protect yourself.

Are There Any Lawsuits Because Of The Data Breach?

There have not been any class-action or single-plaintiff lawsuits filed as a result of this data breach.

Can My Canva Information Be Used For Identity Theft?

Yes, it can. Hackers and cybercriminals need very little to wage an identity theft war on victims. It starts with an email address and name, and from there, they can browse through the treasure trove of stolen data on the dark web and match it up with user accounts, passwords, and sometimes even payment details. This exposure leaves you vulnerable not only to identity theft but also scams and fraud.
How to prevent a data breach

How To Prevent a Data Breach?

The whole world is online and if you use any type of online service, log into accounts to manage your banks, credit cards, or even play online games, you are at risk of a data breach and exposure of your information. Luckily, however, there are things you can do to protect yourself, such as:

● Check your credit reports often and invest in credit monitoring.
● Keep your computer antivirus updated to avoid malware, ransomware, or hacking.
● Monitor your bank and credit card statements for unauthorized activity.
● Use common sense and be on the lookout for spam and phishing emails.
● Never click any links or open attachments in emails.
● Use only one credit card for retail purchases and monitor your statements carefully each month.
● Invest in credit monitoring and consider a credit freeze where new accounts cannot be opened without your permission.
● Do not provide personally identifiable information (PII) to anyone who requests it online or over the phone unless you contacted them first.
● Never reuse the same username or passwords on multiple websites.
● Only use long, complex passwords made up of a combination of letters, numbers, and symbols.
● Consider using a password vault or other resource to safely store your passwords and randomly generate strong ones.
About the Author
IDStrong Logo

Related Articles

What is Data Leak and How to Prevent Accidental Data Leakage

Data breaches take many forms, and one of them is through data leak and accidental web exposure. M ... Read More

The Saga of T-Mobile Data Breach: 2013, 2015, 2021 and 2023 Hacks

T-Mobile has experienced a number of data breaches in the past decade. The first case occurred som ... Read More

Anthem Data Breach Exposed 78 Million Records

In the Anthem Data Breach of 2015, hackers were able to steal 78.8 million member’s records. ... Read More

Everything You Need to Know About Insider Data Breach

Data breaches are on the news frequently, but the average person doesn’t really know that much a ... Read More

The NSA Hack, How Did it Happen?

The National Security Agency (NSA) was the main attraction in a major data breach involving three ... Read More

Latest Articles

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

What is a Time-based One-time Password (TOTP)?

What is a Time-based One-time Password (TOTP)?

Authentication is the process that verifies the user's identity to control access to resources, prevent unauthorized users from gaining access to the system, and record user activities (to hold them accountable for their activities).

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close