What You Need to Know About Canva Data Breach
Table of Contents
- By David Lukic
- Published: Nov 02, 2021
- Last Updated: Mar 18, 2022
Popular Australian-based graphic design platform Canva suffered a major data breach, which cost them 139 million user records along with a heaping pile of bad press.
ZDNet was contacted on May 24th, 2020, by a hacker named GnosticPlayers who took credit for the breach and claimed that along with Canva, he or she had made off with more than 1 billion user credentials. The information purportedly stolen was usernames, names, email addresses, city, and country data. This particular hacker or hacker group is quite prominent and responsible for posting 932 million users’ data on the dark web.
ZDNet contacted Canva to report the breach after validating it through a sample of the stolen data. Canva responded via email with, “Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses.” They went on to reassure with, “We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution. We will continue to communicate with our community as we learn more about the situation.”
As a result of this data breach, 78 million users’ Gmail addresses were exposed through this single incident. Canva vehemently defends their position by stating that their passwords use Bcrypt security and would be nearly impossible for hackers to crack each person’s password. The passwords were also salted (additional characters added to each one). However, only 61 million of the 139 users had salted passwords encrypted using Bcrypt. The others logged in using Google tokens (Gmail).
Canva has been in business since 2012 and quickly rose to the top in terms of website traffic. They provide free and paid accounts where users can create websites, graphic design elements, and other content. They also partnered with two free stock content providers (Pexels and Pixabay), offering a vast library of stunning artwork to customers. Canva is currently valued at $2.5 billion, so although this data breach was a slight bruise to their ego, they will come back swinging.
When Was The Canva Data Breach?
The actual data breach occurred on May 24, 2019. The hacker responsible, GnosticPlayers, told ZDNet that they “download everything up to May 17.” At that point, the breach was detected, and Canva closed the server. The same hacker reported it to ZDNet shortly after being shut down.
As a follow-up, on January 17, 2020, Canva posted an update that, as of January 11, 2020, they found out that at least 4 million user accounts breached did, in fact, include decrypted passwords. They urge all users to change their passwords immediately and if you reuse those account credentials elsewhere, immediately change them to avoid unauthorized access to your other website services.
On January 12th, Canva automatically reset passwords that were not changed and notified users.
How To Find Out Your Data Breach
You can contact Canva via email at (contact@canva.com) to ask about your account at any time. If you were involved in the breach, you should have received notification directly from Canva by now. If not, you can use third-party websites to check to see if any of your data shows up on the dark web from this breach or any others. Other immediate actions to take are:
● Just to be safe, change your passwords for logins associated with banks and credit cards.
● Sign up for credit monitoring with a good company like IDStrong.com.
● Run a full scan of your computer to ensure you were not scammed or infected with a virus or malware.
What To Do After Data Breach
Canva has reassured all users that none of their payment information was collected or accessed in the data breach. However, as we now know, passwords were decrypted for at least 4 million users. If you were involved in this data breach, immediately change your password, if it wasn’t already. If you reuse your Canva username, email, or passwords anywhere else, change those as well on other websites to protect yourself.
Are There Any Lawsuits Because Of The Data Breach?
There have not been any class-action or single-plaintiff lawsuits filed as a result of this data breach.
Can My Canva Information Be Used For Identity Theft?
Yes, it can. Hackers and cybercriminals need very little to wage an identity theft war on victims. It starts with an email address and name, and from there, they can browse through the treasure trove of stolen data on the dark web and match it up with user accounts, passwords, and sometimes even payment details. This exposure leaves you vulnerable not only to identity theft but also scams and fraud.
How To Prevent a Data Breach?
The whole world is online and if you use any type of online service, log into accounts to manage your banks, credit cards, or even play online games, you are at risk of a data breach and exposure of your information. Luckily, however, there are things you can do to protect yourself, such as:
● Check your credit reports often and invest in credit monitoring.
● Keep your computer antivirus updated to avoid malware, ransomware, or hacking.
● Monitor your bank and credit card statements for unauthorized activity.
● Use common sense and be on the lookout for spam and phishing emails.
● Never click any links or open attachments in emails.
● Use only one credit card for retail purchases and monitor your statements carefully each month.
● Invest in credit monitoring and consider a credit freeze where new accounts cannot be opened without your permission.
● Do not provide personally identifiable information (PII) to anyone who requests it online or over the phone unless you contacted them first.
● Never reuse the same username or passwords on multiple websites.
● Only use long, complex passwords made up of a combination of letters, numbers, and symbols.
● Consider using a password vault or other resource to safely store your passwords and randomly generate strong ones.
