canva data breach case study pdf

A Case Study of Credential Stuffing Attack: Canva Data Breach

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Decrypting Canva’s Security Breach That Affected 139 Million User Accounts

Yet another attack by a hacker responsible for cyber threats at over 44 companies worldwide.

Spreeha Dutta

If you have been a Canva user for over a year now, then on the 26th of May 2019 you would have received an email from Canva notifying you about the company being at the receiving end of a security attack. Canva was very responsive throughout, be it in taking the necessary protective measures against the attack or informing the concerned cyber crime cell.

However, at that time the attack was estimated to have only minimally impacted 139 million user accounts . It was only later on the 11th of January 2020 that it was found that the attack could have left its repercussions on as many as 4 million accounts whose passwords had also been successfully decrypted by the hacker .

But before we go further, to give you a brief background about Canva, it is one of the most popular graphic design startups that was founded in Australia in 2013. Currently it has a presence in 190 countries with 15 million users . Read on to know more about the attack and how Canva immediately responded to counter the potential damage.

Going Back To The Morning Of The Attack

On the 24th of May 2019, a hacker who goes by the name GnosticPlayers contacted ZDNet and claimed to have breached Canva earlier that morning.

“I download everything up to May 17,” the hacker said. “ -As reported by ZDNet

The Canva attack wasn’t the first time that he/she/the group was responsible for a cyber attack. Dubsmash, MyFitnessPal, Zynga are few of the names who had previously fallen victim to GnosticPlayers’ data breaches. GnosticPlayers is infamous as a hacker who has stolen data of over 900 million users from 45 companies worldwide and put them on sale on the dark web.

But how was the Canva attack different from other attacks?

Here, the attack was discovered and stopped by Canva while it was still occurring. Canva had immediately shut its database servers on detecting the attack. But what was most surprising was the fact that after the attack was stopped, the hacker directly contacted a journalism group (ZDNet) and admitted to having committed the crime.

“It’s common to brag about hacks on dark web forums, but contacting journalists directly and spreading awareness like this is almost unheard of,” Oz Alashe, CEO of intelligent cyber security awareness platform CybSafe, told Verdict .

This bold measure on the part of the hacker was considered by many to be a ploy to steer more sales of the stolen user accounts that he had put for sale on the dark web.

What was compromised in the attack?

• The profile database of 139 million users was accessed. This contained usernames, email ids, public profile ids.
• Encrypted passwords using bcrypt hashing algorithm. bcrypt is still considered to be one of the most secure algorithms.
• A claim of access to the OAuth login tokens of those users who had logged in using Google. (OAuth tokens are what applications use to make requests on behalf of the user for the authorization of the specific application.)
• Limited viewing of card details and payment data. Fortunately for Canva, it never stores complete credit card information in one place. Therefore even though the attacker might have viewed these files momentarily, they couldn’t have used it for carrying out payments.

Why were the users not thought to be at much risk?

• Since the passwords had been first salted and then protected with a hashing function called bcrypt , it was considered then that even though the attackers had access to the hashed password they would never be able to decrypt them and recover the original password. bcrypt is one of the strongest hash algorithms there is since its iteration count can be dynamically increased with time to make it slower and thus resistant to brute force attacks.
• The OAuth tokens too were encrypted using an algorithm called AES128 and the keys for the same were stored in another separate secure location. There was no evidence that those keys from that location were accessed. And without the keys, the tokens alone wouldn’t prove to be of much use to the attacker.

What was Canva’s Response To the Attack?

I too was a Canva user at the time of the breach and I still am. I received the following mail from them as did its other customers on the 26th of May, 2019.

Unexpected Turn Of Events…

It was only on the 11th of January 2020, 7 months after the attack that the company became aware that the hacker had been able to decrypt the passwords of as many as 4 million Canva accounts out of the 139 million accounts that had been compromised by the breach. It sent Canva into damage control mode once again.

Canva promptly notified all its users of the attack and asked all those with unencrypted passwords to change their passwords immediately by sending out necessary emails containing a set of guidelines for setting the new password. On the 12th of January 2020, Canva forcibly reset the password of all those who hadn’t changed their passwords yet and sent out emails about the same to its users.

What’s the Current Situation?

In spite of all the storm that Canva weathered, to date, it continues to be one of the fastest-growing tech companies. In fact, since the attack, its Alexa website traffic rank shot up substantially and it was featured among the Top 200 most popular websites. Canva is currently valued at a massive sum of $3.2 billion. It remains a favorite among its users who are looking to build quick and attractive designs, logos, and posters.

However, this incident also brought to light a very essential issue for budding businesses and startups — that however good their product might be, if they don’t cultivate healthy cyber security practices it will be difficult for them to survive going ahead.

That’s all! Thanks for reading the entire way! Do leave your feedback. You can also connect with me on: LinkedIn: https://www.linkedin.com/in/spreehadutta/ Twitter: https://twitter.com/DuttaSpreeha GitHub: https://github.com/Spreeha Mail: [email protected]

Written by Spreeha Dutta

A software engineer, blogger and podcaster navigating her way through life's beautiful stories.

More from Spreeha Dutta and codeburst

How Does Instagram Show Me Posts Regarding What I Have Searched On Google

I have always wondered how does instagram know what i am searching about on google when i am not even signed into instagram using my….

How To Create Horizontal Scrolling Containers

As a front end developer, more and more frequently i am given designs that include a horizontal scrolling component. this has become….

Top 50 Java Interview Questions for Beginners and Junior Developers

A list of frequently asked java questions and answers from programming job interviews of java developers of different experience..

Green Coding: How Programmers Can Contribute To A More Sustainable Environment

Recommended from medium.

Shabbir Khan

Introduction

Ethereum is a principled project, popular for being a credibly neutral payment, financial, and computing system..

Asymmetric and Post Quantum Cryptography In Depth

We had already looked at rsa back in this article for diffie helman key echange in tls. let us understand other modern approaches in this….

AI Regulation

Tech & Tools

ChatGPT prompts

Growth Marketing

imwaiting18

2FA bypass that made me $______

As always read me for a cookie.

Maciej Pocwierz

How an empty S3 bucket can make your AWS bill explode

Imagine you create an empty, private aws s3 bucket in a region of your preference. what will your aws bill be the next morning.

Lixin Zhang

Try Hack Me | CompTIA Pentest+ Path | Pentesting Fundamentals | Write up

Recently, i became interested in pentesting and discovered a dedicated path for comptia pentest+ on thm. i decided to embark on this….

Imad Husanovic

System Weakness

3 easiest bugs that you can find right now [guarantied]

Finding bugs can be actually very easy and i present you some of the easiest bugs that are ridiculously easy to find and pretty much are a….

Text to speech

Australian tech unicorn Canva suffers security breach

• 10 dangerous app vulnerabilities to watch out for (free PDF)

Canva, a Sydney-based startup that's behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned.

Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet .

Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.

Hack took place this morning

Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning.

"I download everything up to May 17," the hacker said. "They detected my breach and closed their database server."

Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available.

For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around.

For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password.

Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.

ZDNet requested a sample of the hacked data, so we could verify the hacker's claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site's staff and admins.

We used this information to contact Canva users, who verified the validity of the data we received. We also contacted the site's administrators, informing them of the breach and requesting an official statement.

"Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses," a Canva spokesperson told ZDNet via email.

"We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution," the company said.

"We will continue to communicate with our community as we learn more about the situation."

One of the internet's biggest sites

Canva is one of Australia's biggest tech companies. Founded in 2012, the Canva website has become a favorite among regular users and large companies who often use it to build quick websites, design logos, or put together eye-catching marketing materials.

Since its launch, the site has shot up the Alexa website traffic rank, and has recently entered the Top 200, currently ranked at #170.

Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion . Canva also recently acquired two of the world's biggest free stock content sites -- Pexels and Pixabay . Details of Pexels and Pixabay users were not included in the data stolen by the hacker.

With today's hack, GnosticPlayers has now stolen over one billion user credentials, a goal the hacker told ZDNet in previous interviews he was aiming for. If anyone's still keeping count, that's 1,071 billion credentials from 45 companies.

Previous coverage of GnosticPlayers' hacks:

- Round 1 + Round 2 [620 million + 127 million user records] - Round 3 [93 million user records] - Round 4 [26.5 million user records] - Round 5 [65.5 million user records]

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:.

• Chinese cyberspies breached TeamViewer in 2016
• Google says it stored some G Suite passwords in unhashed form for 14 years
• Stack Overflow says hackers breached production systems
• Russian government sites leak passport and personal data for 2.25 million users
• Stack Overflow hacker went undetected for a week
• Unsecured server exposes data for 85% of all Panama citizens
• Facebook passwords by the hundreds of millions sat exposed in plain text  CNET
• Facebook data privacy scandal: A cheat sheet TechRepublic

91% of ransomware victims paid at least one ransom in the past year, survey finds

Security researchers say this scary exploit could render all vpns useless, the best business internet service providers.

139 million users hit in data breach

In May 2019, the company suffered a data breach that affected 139 million customers. The company identified the attack whilst it was ongoing so the perpetrator took to twitter to make their attack public which forced the company into swift damage control mode.

The data exposed included customer usernames, real names, email addresses, passwords and location information. Although customer passwords were breached, all the passwords were encrypted. No credit card details or designs were exposed/accessed in the attack.

In January 2020, the company became aware of a list of approximately 4 million customer accounts containing passwords stolen as part of the May 2019 breach. The attackers 'cracked' (decrypted) the passwords of affected accounts and shared that information online.

Book a consultation

Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:

We've done the analysis so you can make the decisions

$489.99 When purchasing a minimum of 5 Case Studies $699.99 if buying less than 5.

• Detailed cause & effect analysis
• Lessons learnt catalogued
• Preventive controls extracted

Prototype pollution

Prototype pollution project yields another Parse Server RCE

Bug Bounty Radar

The latest programs for February 2023

All Day DevOps

AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach

Infosec beginner?

A rough guide to launching a career in cybersecurity

Cybersecurity conferences

A schedule of events in 2022 and beyond

Canva ‘working around the clock’ to investigate data breach

Attack against graphic design site said to impact 139 million users

Canva, a popular online design toolkit, said it is working “around the clock” to investigate an attack on its systems that may have resulted in the data of 139 million users being compromised.

In an alert issued over the weekend, Canva said: “On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities.”

The Australia-based company said that “a number” of usernames and email addresses were accessed by attackers.

However, ZDNet’s Catalin Cimpanu – who broke the story after receiving a tip-off from the alleged hacker – said the number of potentially impacted Canva users could be somewhere in the region of 139 million.

In an update this morning, Canva said:

Our teams have been working around the clock to investigate the attack and communicate with our customers. We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers. We have also engaged forensic experts to investigate the incident.

In addition to usernames and email addresses, the company said the hackers obtained passwords in their encrypted form (salted and hashed with bcrypt).

While these passwords remain unreadable by external parties, users have been urged to change their Canva passwords.

The Daily Swig has asked the company if its investigation has shone any light on the number of impacted customers.

Blank Canva

Founded in 2012, Canva is a community-focused design site that allows users of varying abilities to create graphics for presentations, posters, and social media.

The tech firm, which gained popularity for its user-friendly drag-and-drop functionality, recently raised $70 million in its latest funding round.

In the days following the attack, the business came under fire from some users who claimed that the news of the security incident was buried below a paragraph of “ marketing fluff ”.

While these users do have a point, it should also be noted that Canva set about informing customers within 24 hours of being alerted to the incident, and since then has been actively answering questions on social media.

“The prompt honesty is much more appreciated than those companies who are afraid of admitting a breach,” said one Twitter user.

“Thank you for your honesty and transparency,” added another.

RELATED ‘Everybody has sharpened up’ – Australia’s breach notification law, one year on

James Walker

@jameswalk_er

We’re going teetotal – It’s goodbye to The Daily Swig

Indian gov flaws allowed creation of counterfeit driving licenses, related stories, password managers part ii, password manager security, deserialized roundup.

Government wants a sweeping social media inquiry

Apple to power ai servers with its chips, meta's oversight board backs takedown of australian voter fraud posts, tpg telecom makes enterprise data searchable with copilot trial, nsw health professional complaints system to be re-platformed, canva's infosec resourcing 'still growing' two years after large data breach, post-incident reports offer extra details on may 2019 attack..

Australian tech unicorn Canva has a "much larger" and "still growing" security team and access to "ever-increasing" investment more than two years after a large-scale data breach.

The company’s newly-appointed head of security Paul Clarke told a pre-recorded AWS event last week that the 2019 breach “had a really visceral impact on company executives”, underlining the need for sustained investment and resourcing as well as for a “company-wide focus” on security.

Canva’s systems were breached on Friday May 24 of 2019 and "up to" 139 million users’ details - comprising usernames, email addresses and hashed passwords - were stolen.

The company said at the time that it had stopped an in-progress “attack on our systems”. 

“Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response,” the company said in a notification .

Though pre-dating Clarke's time at Canva by several years, he elaborated on this aspect of the attack at the AWS event, saying his knowledge was drawn from reading the company’s “detailed post-incident reports” and “talking to people who were involved in” the response and mop-up.

“The event began from Canva’s perspective on a Friday - [because] ... all major security incidents begin as you’re going into the weekend,” he said.

“It started with an alert from one of our monitoring systems about unusual activity happening in one of Canva’s AWS accounts. 

“When the on-call engineer investigated they identified suspicious activity coming from a particular IP address using particular access credentials, and they quickly acted to block the access of what was at that point a presumed attacker. 

“The event then took a slightly unusual turn, in my personal experience, which was at the point that the attacker lost their access, they immediately contacted tech media journalists and went public on Twitter about their activity. 

“So Canva found itself in a situation where this was public domain knowledge on the same day that Canva had identified this issue and was trying to understand exactly what had happened.”

From his reconstructed understanding of the incident response, Clarke said Canva had “three streams of work” running concurrently.

“There was the technical response to understand what had actually happened, there was a communications plan response about informing our community about the potential impact to them, and then there was a third workstream which was focused on data privacy regulator notification and law enforcement engagement,” he said.

“We ultimately discovered that the attacker had been able to gain access to some Canva systems and they’d been able to take a copy of our user database which contained usernames, email addresses, and password hashes for users who logged in directly with Canva rather than using Google or Facebook to login, and that kind of informed our communication plan. 

“We have an immediate obligation to notify our community and we did that through different channels - through social media, direct email to customers, and constant updates on a dedicated security incident page on our website, and that page is still there today.”

The company’s initial emailed notification to users was criticised at the time for burying disclosure of the breach under unrelated marketing information.

Speaking broadly about its communications plan, Clarke said it was challenging to translate into all the languages spoken by its user base.

He said the incident had “influenced the culture at Canva”, resulting in more resourcing and investment being put behind security.

“This event from two years ago had a really visceral impact on company executives,” he said.

“They truly understand that security incidents, security breaches are part of the business’s existential risk now and need to be managed as such, so there is real understanding from the very top of the company that this really matters and it needs company-wide focus. 

“More specifically there’s been an ever-increasing investment in security, so the security group is much larger than it was two years ago and it’s still growing. Our investment in tools and trusted partners continues to grow. 

“I think it’s just widely acknowledged across the company that security is as important to the business as feature development [or] customer acquisition.”

Clarke added that the breach highlighted the importance of being well-practiced at incident response.

“To be efficient and effective during an incident, you must have practiced outside of that pressurised situation,” he said.

“Know your incident response plan, know who is responsible for which elements of it, and practice, practice, practice.”

Partner Content

Sponsored Whitepapers

Most Read Articles

CBA changes its chief security officer

Gov to set up identity credential misuse app

Australian Payments Plus creates first CISO role

ANZ finds savings and security benefits in technology estate simplification

Digital nation.

Most popular tech stories

State of Security 2023

Cover story: sustainability and ai, a promising partnership or an environmental grey area, fyai: what is an ai hallucination and how does it impact business leaders, case study: warren and mahoney adopts digital tools to reduce its carbon footprint, cricket australia automates experiences for fans and players, unix co-creator dennis ritchie passes away, avocado consulting's journey: from a mcdonald's to beating multinationals for contracts, photos: crn and n-able host msp breakfast in sydney, ingram micro experience draws hundreds to sydney at "revolutionary time" for industry, optus appoints nbn boss stephen rue as ceo.

Right to repair: Large scale IT buyers can influence product design... and they should

Shivering in summer sweating in winter your building is living a lie, building a modern workplace for a remote workforce, venom blackbook zero 15 phantom, how long will a ups keep your computers on if the lights go out.

Dicker Data's DAS division adds Hikvision "Artificial Intelligence of Things" offerings

Pitches invited for $10 million drought resilience commercialisation initiative, western sydney "aerotropolis" will be in spotlight at sensing the west forum in march, photos: the 2023 iot awards winners, meet the environmental monitoring award finalists in the iot awards.

Switch language:

Gnosticplayers: Why the hacker behind the Canva data breach boasted to the media

• Share on Linkedin
• Share on Facebook

‘Gnosticplayers’ appears to have struck again last week, with the notorious hacker claiming to be behind the 24 May data breach that saw the personal details of almost 140 million Canva users accessed.

The graphic design platform detected and stopped the attack as it was occurring , but not before the malicious actor accessed data including usernames, real names, email addresses, countries, encrypted passwords and partial payment data.

Go deeper with GlobalData

Antitrust in Tech, Media, and Telecom (TMT) Industry - Thematic Research

Disruptor profile: sano intelligence inc., premium insights.

The gold standard of business intelligence.

Find out more

Related Company Profiles

Sony group corp, cybereason inc, canva pty ltd.

Gnosticplayers, who is believed to be behind hacks involving more than 40 large companies in 2019, contacted ZDNet immediately to notify them of and claim responsibility for the breach, as he has various times in the past.

“It’s common to brag about hacks on dark web forums, but contacting journalists directly and spreading awareness like this is almost unheard of,” Oz Alashe, CEO of intelligent cyber security awareness platform CybSafe, told Verdict .

So why would a hacker use this unusual tactic, and how much this notoriety benefit somebody like Gnosticplayers?

Attracting a buyer

Given the ease of sale that popular dark web marketplaces provide cybercriminals, financial gain is the most likely incentive for hackers to carry out such a breach.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

That appears to be the case for Gnosticplayers, who has listed close to one billion compromised records on the dark web since February, requesting varying amounts of bitcoin in exchange for this stolen data.

Cybersecurity experts feel that the attempt to spread details of the breach in the mass media is a likely effort to promote the data that has been stolen.

Given that Dream, the dark web marketplace where Gnosticplayers previously sold their data, shut down last month, it “makes sense” that they would reach out to the media to continue to advertise their hacks, Daniel Smith, an information security researcher for Radware’s Emergency Response Team, believes.

Valuable data for cybercriminals, despite Canva’s quick response

While bringing further attention to the breach could lower the value of the compromised data, given Canva users will change their passwords if the company hasn’t reset them already, the data will still hold a lot of value for cybercriminals to exploit.

“These passwords will still have a lot of value,” Alashe told Verdict . “That’s because, even after a breach, and even after one that is well-publicised, many affected users won’t voluntarily change them.”

“What’s more, since most users reuse passwords across multiple platforms, even if people do change their Canva passwords, it’s likely that other accounts are still compromised.”

Cybercriminals will use this data to carry out credential stuffing attacks. This involves trying a large number of email and password combinations in the hopes of breaching an account. Given that password reuse is still rife, credential stuffing can provide cybercriminals access to accounts not just on the breached platform, but also to other websites and platforms across the web.

Likewise, cybercriminals can also use breached passwords in their phishing attempts in order to trick victims into handing over money. Cybercriminals carry out sextortion scams , for example, where they claim to have compromised the victim’s system and recorded compromising footage of them, using the password as ‘proof’ of the breach.

Hackers for hire

While Gnosticplayers appears to be promoting the compromised data for sale, hackers may also turn to the media in attempt to promote themselves.

In that regard, notoriety is hugely important. Claiming an attack against a large organisation could prove far more lucrative than selling the data on should they attract the attention of those looking to carry out cyberattacks against a particular organisation.

“There are a number of reasons why hackers hack, and… one of them is self-publicity,” Guy Bunker, chief technology officer for IT security company Clearswift, told Verdict . “While in the old days it was about defacing websites and then showing it could be done, these days it is about being able to show off technological prowess and then ‘selling it to the highest bidder.”

While the dark web might be associated with the criminal underworld, legitimate actors also frequent the hacker-for-hire market, according to Sam Curry, chief security officer at Cybereason.

“It’s not just governments turning to cyber for a quick fix or new options, it’s also the private sector,” Curry told Verdict . “Sometimes they [hackers] are employed by competitors or activists to embarrass and expose victims.”

It is unclear how common this practice is in the business world. However, a past study conducted by cybersecurity firm Kaspersky found that 40% of businesses hit by a distributed denial of service (DDoS) attack believed that their competitors were behind it. A DDoS attack involves flooding a web server with traffic in order to use up its bandwidth, which stops legitimate users from connecting to the server.

However, hacking attempts launched against businesses have the potential to be far more costly than some downtime. Under the European Union’s General Data Protection Regulation (GDPR), businesses can be fined up to €20m or 4% of global annual turnover for failing to protect user data.

“These days, with GDPR, there is the potential for a significant fine to be levied because of the breach – highlighting it will bring it to the attention of the media and the regulatory authorities, and with that the investigations, allegations and fines,” Bunker said.

Controlling the narrative

Hacking isn’t always about financial gain. Referred to as hacktivism, many times breaches are carried out for socially or politically motivated reasons.

Anonymous is the most widely known hacktivist group, having launched attacks on targets including the Islamic State, the Westboro Baptist Church and businesses such as PayPal and Sony, while groups like Lizard Squad and LulzSec have also attracted attention in recent years.

According to Alashe, contacting the media means that the hacker “takes control of the narrative”, allowing hacktivists to share their reasons for carrying out an attack.

Regarding Gnosticplayers, the hacker has previously alluded to poor security and data handling as a possible motive for his attacks.

“I got upset because I feel no one is learning,” the hacker previously told ZDNet. “I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.”

Then there is also the reputation that it brings in the hacker community. For many, financial gain is “just the bonus that comes with the territory”, Alashe explained.

Gnosticplayers’ willingness to talk to the media, while somewhat unusual, has undoubtedly made him one of the publicly well-known hackers operating at the moment.

“Scores are kept by what other hackers think of your skill and the reputation of the companies you’ve been able to break into, and not necessarily how much money you’ve made,” Alashe said.

“Criminal behaviour, whether online or offline, is still criminal”

Hacktivists may have their reasons for carrying out an attack, but Curry emphasised that, regardless of motive, hacking is still a crime.

“Criminal behaviour, whether online or offline, is still criminal plain and simple,” Curry told Verdict . “We should focus on the hacker of Canva and finding them rather than guessing at motive.”

Canva has confirmed that it is working with cybersecurity experts and organisations such as the FBI in the wake of the breach, as the hunt for the culprit believed to be behind hacks on companies like UnderArmor, MyHeritage,  Mindjolt and GameSalad continues.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

More Relevant

Why sustainability reporting standards must be simple, consistent and transparent

In data: digital twin patents exceeded 1,600 publications in 2023, in data: managed security services will be cybersecurity's largest sub-segment in 2027, in data: us semiconductor industry attracted over $100bn in foreign direct investment since 2019, sign up to the newsletter: in brief, your corporate email address, i would also like to subscribe to:.

Thematic Take (monthly)

I consent to Verdict Media Limited collecting my details provided via this form in accordance with Privacy Policy

Thank you for subscribing

View all newsletters from across the GlobalData Media network.

• Conferences
• New Conferences
• search search
• You are not signed in

External Links

• Google Scholar
• References: 0
• Cited by: 0
• Bibliographies: 0
• [Upload PDF for personal use]

Researchr is a web site for finding, collecting, sharing, and reviewing scientific publications, for researchers by researchers.

Sign up for an account to create a profile with publication list, tag and review your related work, and share bibliographies with your co-authors.

A Case Study of Credential Stuffing Attack: Canva Data Breach

Minh Hieu Nguyen Ba , Jacob Bennett , Michael Gallagher , Suman Bhunia . A Case Study of Credential Stuffing Attack: Canva Data Breach . In International Conference on Computational Science and Computational Intelligence, CSCI 2021, Las Vegas, NV, USA, December 15-17, 2021 . pages 735-740 , IEEE, 2021. [doi]

• Bibliographies

Abstract is missing.

• Web Service API

Blog Privacy & Identity Protection Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

Internet Security

Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

May 29, 2019

Online graphic design tools are extremely useful when it comes to creating resumes, social media graphics, invitations, and other designs and documents. Unfortunately, these platforms aren’t immune to malicious online activity. Canva, a popular Australian web design service, was recently breached by a malicious hacker, resulting in 139 million user records compromised .

So, how was this breach discovered? The hacker, who goes by the name GnosticPlayers, contacted a security reporter from ZDNet on May 24 th  and made him aware of the situation. The hacker claims to have stolen data pertaining to 1 billion users from multiple websites. The compromised data from Canva includes names, usernames, email addresses, city, and country information.

Canva claims to securely store all user passwords using the highest standards via a Bcrypt algorithm . Bcrypt is a strong, slow password-hashing algorithm designed to be difficult and time-consuming for hackers to crack since hashing causes one-way encryption. Additionally, each Canva password was salted, meaning that random data was added to passwords to prevent revealing identical passwords used across the platform. According to ZDNet, 61 million users had their passwords encrypted with the Bcrypt algorithm, resulting in 78 million users having their Gmail addresses exposed in the breach.

Canva has notified users of the breach through email and ensured that their payment card and other financial data is safe. However, even if you aren’t a Canva user, it’s important to be aware of what cybersecurity precautions you should take in the event of a data breach. Check out the following tips:

• Change your passwords. As an added precaution, Canva is encouraging their community of users to change their email and Canva account passwords. If a cybercriminal got a hold of the exposed data, they could gain access to your other accounts if your login credentials were the same across different platforms.
• Check to see if you’ve been affected.  If you’ve used Canva and believe your data might have been exposed,  use this tool  to check or set an alert to be notified of other potential data breaches.
• Secure your personal data.  Use a security solution like  McAfee Identity Theft Protection . If your information is compromised during a breach, Identity Theft Protection helps monitor and keep tabs on your data in case a cybercriminal attempts to use it.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow  @McAfee_Home  on Twitter, listen to our podcast  Hackable? , and ‘Like’ us on  Facebook .

Introducing McAfee+

Identity theft protection and privacy for your digital life

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

We're here to make life online safe and enjoyable for everyone.

More from Privacy & Identity Protection

How to Spot Fake News in Your Social Media Feed

May 08, 2024   |   11 MIN READ

McAfee and Intel Collaborate to Combat Deepfakes with AI-Powered Deepfake Detection

May 05, 2024   |   3 MIN READ

How to Protect Yourself from Bank Fraud

May 02, 2024   |   8 MIN READ

How to Delete Your Browser History

Apr 29, 2024   |   8 MIN READ

How to Protect Your Personal Data

Apr 29, 2024   |   5 MIN READ

How to Remove Personal Information From Data Broker Sites

Apr 26, 2024   |   9 MIN READ

How to Spot AI Audio Deepfakes at Election Time

Apr 22, 2024   |   5 MIN READ

How to Protect Yourself Against AI Voice Cloning Attacks

Apr 17, 2024   |   3 MIN READ

How Do You Manage Your Social Media Privacy?

Apr 15, 2024   |   5 MIN READ

How to Protect Yourself From Social Media Harassment

Apr 12, 2024   |   6 MIN READ

A Finance Journalist Fell Victim to a $50K Vishing Scam – Are You Also at Risk?

Apr 11, 2024   |   4 MIN READ

Stay Cyber Savvy: Your 5-Step Guide to Outsmarting Phishing Scams

Apr 10, 2024   |   3 MIN READ

• Dynamic Application Security Testing
• API Security Testing
• Penetration Testing - PT
• Banking, Financial Services, and Insurance
• Internet Companies
• Governments & Ministries
• The Fortune Global - 500 & 2000
• Cybersecurity Jargons
• Infographics
• Whitepapers
• Case Studies

Canva Data Breach - A Lesson For Budding Businesses

A data breach can gravely harm the reputation of any business and also hurt the sentiments of the users whose information gets exposed. The matters may become even worse if the aftermath of the incident is not handled decisively. Last week, the Australian tech giant Canva reported a major data breach that left the entire online community in shock.

Canvas Security Breach - What actually happened?

In this major cybersecurity incident, the attacker stole records of over 139 million Canva users and the exposed data included real names, usernames, email addresses, and other sensitive personal information of users.

However, the email passwords that were stolen with other data were heavily encrypted using the Bcrypt algorithm, and they wouldn’t be compromised. The dates of birth and home addresses of the users were also safe.

Soon after the breach was confirmed, the authorities at Canva urged their users to change passwords as a precautionary measure.

Launched in 2012, the Sydney-based graphic design unicorn has a user base of millions of users in almost 179 countries across the globe.

The hacking incident was reported on 24th May by an official from ZDNet. The official then asked for a sample dataset to verify the hack and received the personal data of around 17,000 users. Later, Canva also confirmed the authenticity of the breach. The alleged hacker behind this attack goes by the name GnosticPlayers and is highly infamous for his online crimes.

Since the beginning of 2019, this hacker has claimed to have stolen the data from around 1 billion users of about 44 major online companies and has put up that data for sale on the dark web.

The hacker stole the passwords of nearly 61 million users, but fortunately, they were encrypted with one of the most secure hashing algorithms - Bcrypt. The hacker also stole Google Tokens, which were used by numerous users to sign in to their accounts without setting up passwords.  

MUST READ: Exclusive Insights On Sustainable Growth For SaaS Businesses Through Security Best Practices

Canva’s Response To the data-leak: What Startups Should Learn

The last few weeks were more like a roller coaster ride for the Australian company. Since its launch, Canva has become the primary choice of users in the online design market and currently ranks #170 in the Alexa website traffic ranking.

In the past week, the company also raised almost $71 million in its Series D funding and was valued at a whopping $3.5 billion, making it one of the fastest-growing Australian tech startups. The company also acquired two free photography sites named Pexels and Pixabay recently.

Everything was running smoothly until the data breach news came in. And, after the breach was detected by the Canva officials on 24th May, the manner in which the company communicated the incident to its users, raised some serious questions.  

Instead of focusing on the breach news, Canvas's initial communication email to its customers centered on the company’s recent acquisitions and achievements. The wording and structure of the email were heavily criticized by security experts on several social media platforms. 

Hey @lizmckenzie and the @canva team this is not how you start an email telling your customers you've been breached. #infosec #fail pic.twitter.com/XJdB3xcWEl — Dave Hall (@skwashd) May 25, 2019

The critics accused Canva of marketing its brand achievements rather than being focused on the real data security issue. After the harsh feedback, the company corrected its mistake and issued another email that focused only on the breach issue.

The budding startups have a significant lesson to learn from this incident. As new businesses grow in size and scale, the risks related to cybersecurity also increase and so do the chances of getting breached. Companies should make thorough action plans and strategies for scenarios like these and try to be as straightforward as possible while explaining the criticality of such incidents to their users.

The temptation to soften the gravity of the issue by expressing it otherwise might make the situation even more complicated, and that is why it is better to share the right information at the right time with the concerned users.

It is essential to keep the stakeholders acquainted and updated about the crisis and consistently address their queries in times like these. Following the best cybersecurity practices from the beginning will undoubtedly go a long way.        

Businesses security Startups Cybersecurity Password Canva Data Breach

Keep the momentum going!

Continue reading by signing up with your email.

DISCOVER MORE

May 7, 2024

Built for Mobiles: Why Choose a Mobile-First Vulnerability Assessment Tool?

April 22, 2024

A Complete Overview of OWASP Mobile Top 10 2024 (+ A Free Checklist)

April 8, 2024

How Appknox stood out at Gartner® Security & Risk Management Summit 2024

Gartner and g2 recommends appknox | see how we can help you with a free demo, similar blogs.

Why Every Mature Business Have To Make An Investment In Data Privacy

We are thriving in the information age and the business environment around us is such that data security has become the ...

How Healthcare Can Combat Cybercrimes? | Appknox

One of the most crucial things for the healthcare sector during the ongoing global pandemic, amidst many other ...

How Caching Sensitive Data Can Lead to the Downfall of Your Business

Smart apps have been built primarily to provide consumers with enthralling functionalities which encourage convenience, ...

Using Other Product?

2 Weeks Free Trial!

Appknox is the worlds most powerful plug and play security platform which helps Developers, Security Researchers and Enterprises to build a safe and secure mobile ecosystem using a system plus human approach to outsmart smartest hackers.

Subscribe to our newsletter

• Start Free Trial
• Book a Demo
• Switch to Appknox
• Partner with Appknox
• Privacy Policy
• Static application security
• Dynamic application security
• Case studies

Copyright © 2024 Appknox, Xysec Labs