canva data breach case study pdf

A Case Study of Credential Stuffing Attack: Canva Data Breach

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Decrypting Canva’s Security Breach That Affected 139 Million User Accounts

Yet another attack by a hacker responsible for cyber threats at over 44 companies worldwide.

Spreeha Dutta

If you have been a Canva user for over a year now, then on the 26th of May 2019 you would have received an email from Canva notifying you about the company being at the receiving end of a security attack. Canva was very responsive throughout, be it in taking the necessary protective measures against the attack or informing the concerned cyber crime cell.

However, at that time the attack was estimated to have only minimally impacted 139 million user accounts . It was only later on the 11th of January 2020 that it was found that the attack could have left its repercussions on as many as 4 million accounts whose passwords had also been successfully decrypted by the hacker .

But before we go further, to give you a brief background about Canva, it is one of the most popular graphic design startups that was founded in Australia in 2013. Currently it has a presence in 190 countries with 15 million users . Read on to know more about the attack and how Canva immediately responded to counter the potential damage.

Going Back To The Morning Of The Attack

On the 24th of May 2019, a hacker who goes by the name GnosticPlayers contacted ZDNet and claimed to have breached Canva earlier that morning.

“I download everything up to May 17,” the hacker said. “ -As reported by ZDNet

The Canva attack wasn’t the first time that he/she/the group was responsible for a cyber attack. Dubsmash, MyFitnessPal, Zynga are few of the names who had previously fallen victim to GnosticPlayers’ data breaches. GnosticPlayers is infamous as a hacker who has stolen data of over 900 million users from 45 companies worldwide and put them on sale on the dark web.

But how was the Canva attack different from other attacks?

Here, the attack was discovered and stopped by Canva while it was still occurring. Canva had immediately shut its database servers on detecting the attack. But what was most surprising was the fact that after the attack was stopped, the hacker directly contacted a journalism group (ZDNet) and admitted to having committed the crime.

“It’s common to brag about hacks on dark web forums, but contacting journalists directly and spreading awareness like this is almost unheard of,” Oz Alashe, CEO of intelligent cyber security awareness platform CybSafe, told Verdict .

This bold measure on the part of the hacker was considered by many to be a ploy to steer more sales of the stolen user accounts that he had put for sale on the dark web.

What was compromised in the attack?

• The profile database of 139 million users was accessed. This contained usernames, email ids, public profile ids.
• Encrypted passwords using bcrypt hashing algorithm. bcrypt is still considered to be one of the most secure algorithms.
• A claim of access to the OAuth login tokens of those users who had logged in using Google. (OAuth tokens are what applications use to make requests on behalf of the user for the authorization of the specific application.)
• Limited viewing of card details and payment data. Fortunately for Canva, it never stores complete credit card information in one place. Therefore even though the attacker might have viewed these files momentarily, they couldn’t have used it for carrying out payments.

Why were the users not thought to be at much risk?

• Since the passwords had been first salted and then protected with a hashing function called bcrypt , it was considered then that even though the attackers had access to the hashed password they would never be able to decrypt them and recover the original password. bcrypt is one of the strongest hash algorithms there is since its iteration count can be dynamically increased with time to make it slower and thus resistant to brute force attacks.
• The OAuth tokens too were encrypted using an algorithm called AES128 and the keys for the same were stored in another separate secure location. There was no evidence that those keys from that location were accessed. And without the keys, the tokens alone wouldn’t prove to be of much use to the attacker.

What was Canva’s Response To the Attack?

I too was a Canva user at the time of the breach and I still am. I received the following mail from them as did its other customers on the 26th of May, 2019.

Unexpected Turn Of Events…

It was only on the 11th of January 2020, 7 months after the attack that the company became aware that the hacker had been able to decrypt the passwords of as many as 4 million Canva accounts out of the 139 million accounts that had been compromised by the breach. It sent Canva into damage control mode once again.

Canva promptly notified all its users of the attack and asked all those with unencrypted passwords to change their passwords immediately by sending out necessary emails containing a set of guidelines for setting the new password. On the 12th of January 2020, Canva forcibly reset the password of all those who hadn’t changed their passwords yet and sent out emails about the same to its users.

What’s the Current Situation?

In spite of all the storm that Canva weathered, to date, it continues to be one of the fastest-growing tech companies. In fact, since the attack, its Alexa website traffic rank shot up substantially and it was featured among the Top 200 most popular websites. Canva is currently valued at a massive sum of $3.2 billion. It remains a favorite among its users who are looking to build quick and attractive designs, logos, and posters.

However, this incident also brought to light a very essential issue for budding businesses and startups — that however good their product might be, if they don’t cultivate healthy cyber security practices it will be difficult for them to survive going ahead.

That’s all! Thanks for reading the entire way! Do leave your feedback. You can also connect with me on: LinkedIn: https://www.linkedin.com/in/spreehadutta/ Twitter: https://twitter.com/DuttaSpreeha GitHub: https://github.com/Spreeha Mail: [email protected]

Written by Spreeha Dutta

A software engineer, blogger and podcaster navigating her way through life's beautiful stories.

More from Spreeha Dutta and codeburst

The Startup

How Does Instagram Show Me Posts Regarding What I Have Searched On Google

I have always wondered how does instagram know what i am searching about on google when i am not even signed into instagram using my….

Top 50 Java Interview Questions for Beginners and Junior Developers

A list of frequently asked java questions and answers from programming job interviews of java developers of different experience..

How To Create Horizontal Scrolling Containers

As a front end developer, more and more frequently i am given designs that include a horizontal scrolling component. this has become….

Level Up Coding

How Ethereum Reversed a $50 Million DAO Attack!

Successfully dodging a cyber threat, recommended from medium.

Khaledyassen

InfoSec Write-ups

How I Found Multiple XSS Vulnerabilities Using Unknown Techniques

Hello, everyone. i hope you are well..

Tal Folkman

checkmarx-security

Over 170K Users Affected by Attack Using Fake Python Infrastructure

AI Regulation

Tech & Tools

ChatGPT prompts

Growth Marketing

Theori Vulnerability Research

Theori BLOG

Chaining N-days to Compromise All: Part 1 — Chrome Renderer RCE

This blog post is first of the series about the vulnerabilities used in our 1-day full chain exploit we demonstrated on x. in this blog….

Sasha Shilina

The future of social networking: Decentralization for user empowerment, privacy, and freedom from…

This paper delves into the transformative potential of decentralized social networks as a remedy for the privacy, censorship, and user….

Artturi Jalli

I Built an App in 6 Hours that Makes $1,500/Mo

Copy my strategy.

Benedict Neo

bitgrit Data Science Publication

Roadmap to Learn AI in 2024

A free curriculum for hackers and programmers to learn ai.

Text to speech

Australian tech unicorn Canva suffers security breach

• 10 dangerous app vulnerabilities to watch out for (free PDF)

Canva, a Sydney-based startup that's behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned.

Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet .

Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.

Hack took place this morning

Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning.

"I download everything up to May 17," the hacker said. "They detected my breach and closed their database server."

Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available.

For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around.

For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password.

Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.

ZDNet requested a sample of the hacked data, so we could verify the hacker's claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site's staff and admins.

We used this information to contact Canva users, who verified the validity of the data we received. We also contacted the site's administrators, informing them of the breach and requesting an official statement.

"Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses," a Canva spokesperson told ZDNet via email.

"We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution," the company said.

"We will continue to communicate with our community as we learn more about the situation."

One of the internet's biggest sites

Canva is one of Australia's biggest tech companies. Founded in 2012, the Canva website has become a favorite among regular users and large companies who often use it to build quick websites, design logos, or put together eye-catching marketing materials.

Since its launch, the site has shot up the Alexa website traffic rank, and has recently entered the Top 200, currently ranked at #170.

Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion . Canva also recently acquired two of the world's biggest free stock content sites -- Pexels and Pixabay . Details of Pexels and Pixabay users were not included in the data stolen by the hacker.

With today's hack, GnosticPlayers has now stolen over one billion user credentials, a goal the hacker told ZDNet in previous interviews he was aiming for. If anyone's still keeping count, that's 1,071 billion credentials from 45 companies.

Previous coverage of GnosticPlayers' hacks:

- Round 1 + Round 2 [620 million + 127 million user records] - Round 3 [93 million user records] - Round 4 [26.5 million user records] - Round 5 [65.5 million user records]

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:.

• Chinese cyberspies breached TeamViewer in 2016
• Google says it stored some G Suite passwords in unhashed form for 14 years
• Stack Overflow says hackers breached production systems
• Russian government sites leak passport and personal data for 2.25 million users
• Stack Overflow hacker went undetected for a week
• Unsecured server exposes data for 85% of all Panama citizens
• Facebook passwords by the hundreds of millions sat exposed in plain text  CNET
• Facebook data privacy scandal: A cheat sheet TechRepublic

Microsoft wants to stop you from using AI chatbots for evil

New password reset attack targets apple device users - what to do if it happens to you, i tested my favorite two-in-one robot vacuum's new model, and it's better in almost every way.

Prototype pollution

Prototype pollution project yields another Parse Server RCE

Bug Bounty Radar

The latest programs for February 2023

All Day DevOps

AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach

Infosec beginner?

A rough guide to launching a career in cybersecurity

Cybersecurity conferences

A schedule of events in 2022 and beyond

Canva ‘working around the clock’ to investigate data breach

Attack against graphic design site said to impact 139 million users

Canva, a popular online design toolkit, said it is working “around the clock” to investigate an attack on its systems that may have resulted in the data of 139 million users being compromised.

In an alert issued over the weekend, Canva said: “On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities.”

The Australia-based company said that “a number” of usernames and email addresses were accessed by attackers.

However, ZDNet’s Catalin Cimpanu – who broke the story after receiving a tip-off from the alleged hacker – said the number of potentially impacted Canva users could be somewhere in the region of 139 million.

In an update this morning, Canva said:

Our teams have been working around the clock to investigate the attack and communicate with our customers. We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers. We have also engaged forensic experts to investigate the incident.

In addition to usernames and email addresses, the company said the hackers obtained passwords in their encrypted form (salted and hashed with bcrypt).

While these passwords remain unreadable by external parties, users have been urged to change their Canva passwords.

The Daily Swig has asked the company if its investigation has shone any light on the number of impacted customers.

Blank Canva

Founded in 2012, Canva is a community-focused design site that allows users of varying abilities to create graphics for presentations, posters, and social media.

The tech firm, which gained popularity for its user-friendly drag-and-drop functionality, recently raised $70 million in its latest funding round.

In the days following the attack, the business came under fire from some users who claimed that the news of the security incident was buried below a paragraph of “ marketing fluff ”.

While these users do have a point, it should also be noted that Canva set about informing customers within 24 hours of being alerted to the incident, and since then has been actively answering questions on social media.

“The prompt honesty is much more appreciated than those companies who are afraid of admitting a breach,” said one Twitter user.

“Thank you for your honesty and transparency,” added another.

RELATED ‘Everybody has sharpened up’ – Australia’s breach notification law, one year on

James Walker

@jameswalk_er

We’re going teetotal – It’s goodbye to The Daily Swig

Indian gov flaws allowed creation of counterfeit driving licenses, related stories, password managers part ii, password manager security, deserialized roundup.

Senate to probe 3G network shutdown

Australian supermarkets, transport next for cyber exercises, in pictures: fujifilm codeblue ai & copilot roundtable, cloud covered: public cloud, cloud covered - private cloud, canva's infosec resourcing 'still growing' two years after large data breach, post-incident reports offer extra details on may 2019 attack..

Australian tech unicorn Canva has a "much larger" and "still growing" security team and access to "ever-increasing" investment more than two years after a large-scale data breach.

The company’s newly-appointed head of security Paul Clarke told a pre-recorded AWS event last week that the 2019 breach “had a really visceral impact on company executives”, underlining the need for sustained investment and resourcing as well as for a “company-wide focus” on security.

Canva’s systems were breached on Friday May 24 of 2019 and "up to" 139 million users’ details - comprising usernames, email addresses and hashed passwords - were stolen.

The company said at the time that it had stopped an in-progress “attack on our systems”. 

“Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response,” the company said in a notification .

Though pre-dating Clarke's time at Canva by several years, he elaborated on this aspect of the attack at the AWS event, saying his knowledge was drawn from reading the company’s “detailed post-incident reports” and “talking to people who were involved in” the response and mop-up.

“The event began from Canva’s perspective on a Friday - [because] ... all major security incidents begin as you’re going into the weekend,” he said.

“It started with an alert from one of our monitoring systems about unusual activity happening in one of Canva’s AWS accounts. 

“When the on-call engineer investigated they identified suspicious activity coming from a particular IP address using particular access credentials, and they quickly acted to block the access of what was at that point a presumed attacker. 

“The event then took a slightly unusual turn, in my personal experience, which was at the point that the attacker lost their access, they immediately contacted tech media journalists and went public on Twitter about their activity. 

“So Canva found itself in a situation where this was public domain knowledge on the same day that Canva had identified this issue and was trying to understand exactly what had happened.”

From his reconstructed understanding of the incident response, Clarke said Canva had “three streams of work” running concurrently.

“There was the technical response to understand what had actually happened, there was a communications plan response about informing our community about the potential impact to them, and then there was a third workstream which was focused on data privacy regulator notification and law enforcement engagement,” he said.

“We ultimately discovered that the attacker had been able to gain access to some Canva systems and they’d been able to take a copy of our user database which contained usernames, email addresses, and password hashes for users who logged in directly with Canva rather than using Google or Facebook to login, and that kind of informed our communication plan. 

“We have an immediate obligation to notify our community and we did that through different channels - through social media, direct email to customers, and constant updates on a dedicated security incident page on our website, and that page is still there today.”

The company’s initial emailed notification to users was criticised at the time for burying disclosure of the breach under unrelated marketing information.

Speaking broadly about its communications plan, Clarke said it was challenging to translate into all the languages spoken by its user base.

He said the incident had “influenced the culture at Canva”, resulting in more resourcing and investment being put behind security.

“This event from two years ago had a really visceral impact on company executives,” he said.

“They truly understand that security incidents, security breaches are part of the business’s existential risk now and need to be managed as such, so there is real understanding from the very top of the company that this really matters and it needs company-wide focus. 

“More specifically there’s been an ever-increasing investment in security, so the security group is much larger than it was two years ago and it’s still growing. Our investment in tools and trusted partners continues to grow. 

“I think it’s just widely acknowledged across the company that security is as important to the business as feature development [or] customer acquisition.”

Clarke added that the breach highlighted the importance of being well-practiced at incident response.

“To be efficient and effective during an incident, you must have practiced outside of that pressurised situation,” he said.

“Know your incident response plan, know who is responsible for which elements of it, and practice, practice, practice.”

Partner Content

Sponsored Whitepapers

Most Read Articles

Government will make digital ID voluntary

"Unpatchable" vulnerability found in Apple's silicon

Australian gov backs election system security after "highly likely" UK compromise

Cyber Security NSW sees better ways to improve council security than audits

Digital nation.

Most popular tech stories

State of Security 2023

Cover story: sustainability and ai, a promising partnership or an environmental grey area, fyai: what is an ai hallucination and how does it impact business leaders, case study: warren and mahoney adopts digital tools to reduce its carbon footprint, cricket australia automates experiences for fans and players.

Bundling analytics with AI is creating new MSP opportunities

Photos: data#3 tours australia with juiceit, photos: partners gather for ingram micro's aws marketplace launch on sydney harbour, dicker data partners with microsoft on ai readiness assessment tool, deloitte buys australian workforce management solution consultancy ateo.

Right to repair: Large scale IT buyers can influence product design... and they should

Shivering in summer sweating in winter your building is living a lie, building a modern workplace for a remote workforce, venom blackbook zero 15 phantom, list of dates when australia post retail outlets will be closed for easter.

Western Sydney "Aerotropolis" will be in spotlight at Sensing the West Forum in March

Pitches invited for $10 million drought resilience commercialisation initiative, dicker data's das division adds hikvision "artificial intelligence of things" offerings, photos: the 2023 iot awards winners, iot impact conference returns to uts in 2024.

Switch language:

Gnosticplayers: Why the hacker behind the Canva data breach boasted to the media

• Share on Linkedin
• Share on Facebook

‘Gnosticplayers’ appears to have struck again last week, with the notorious hacker claiming to be behind the 24 May data breach that saw the personal details of almost 140 million Canva users accessed.

The graphic design platform detected and stopped the attack as it was occurring , but not before the malicious actor accessed data including usernames, real names, email addresses, countries, encrypted passwords and partial payment data.

Go deeper with GlobalData

Antitrust in Tech, Media, and Telecom (TMT) Industry - Thematic Research

Disruptor profile: sano intelligence inc., premium insights.

The gold standard of business intelligence.

Find out more

Related Company Profiles

Sony group corp, cybereason inc, canva pty ltd.

Gnosticplayers, who is believed to be behind hacks involving more than 40 large companies in 2019, contacted ZDNet immediately to notify them of and claim responsibility for the breach, as he has various times in the past.

“It’s common to brag about hacks on dark web forums, but contacting journalists directly and spreading awareness like this is almost unheard of,” Oz Alashe, CEO of intelligent cyber security awareness platform CybSafe, told Verdict .

So why would a hacker use this unusual tactic, and how much this notoriety benefit somebody like Gnosticplayers?

Attracting a buyer

Given the ease of sale that popular dark web marketplaces provide cybercriminals, financial gain is the most likely incentive for hackers to carry out such a breach.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

That appears to be the case for Gnosticplayers, who has listed close to one billion compromised records on the dark web since February, requesting varying amounts of bitcoin in exchange for this stolen data.

Cybersecurity experts feel that the attempt to spread details of the breach in the mass media is a likely effort to promote the data that has been stolen.

Given that Dream, the dark web marketplace where Gnosticplayers previously sold their data, shut down last month, it “makes sense” that they would reach out to the media to continue to advertise their hacks, Daniel Smith, an information security researcher for Radware’s Emergency Response Team, believes.

Valuable data for cybercriminals, despite Canva’s quick response

While bringing further attention to the breach could lower the value of the compromised data, given Canva users will change their passwords if the company hasn’t reset them already, the data will still hold a lot of value for cybercriminals to exploit.

“These passwords will still have a lot of value,” Alashe told Verdict . “That’s because, even after a breach, and even after one that is well-publicised, many affected users won’t voluntarily change them.”

“What’s more, since most users reuse passwords across multiple platforms, even if people do change their Canva passwords, it’s likely that other accounts are still compromised.”

Cybercriminals will use this data to carry out credential stuffing attacks. This involves trying a large number of email and password combinations in the hopes of breaching an account. Given that password reuse is still rife, credential stuffing can provide cybercriminals access to accounts not just on the breached platform, but also to other websites and platforms across the web.

Likewise, cybercriminals can also use breached passwords in their phishing attempts in order to trick victims into handing over money. Cybercriminals carry out sextortion scams , for example, where they claim to have compromised the victim’s system and recorded compromising footage of them, using the password as ‘proof’ of the breach.

Hackers for hire

While Gnosticplayers appears to be promoting the compromised data for sale, hackers may also turn to the media in attempt to promote themselves.

In that regard, notoriety is hugely important. Claiming an attack against a large organisation could prove far more lucrative than selling the data on should they attract the attention of those looking to carry out cyberattacks against a particular organisation.

“There are a number of reasons why hackers hack, and… one of them is self-publicity,” Guy Bunker, chief technology officer for IT security company Clearswift, told Verdict . “While in the old days it was about defacing websites and then showing it could be done, these days it is about being able to show off technological prowess and then ‘selling it to the highest bidder.”

While the dark web might be associated with the criminal underworld, legitimate actors also frequent the hacker-for-hire market, according to Sam Curry, chief security officer at Cybereason.

“It’s not just governments turning to cyber for a quick fix or new options, it’s also the private sector,” Curry told Verdict . “Sometimes they [hackers] are employed by competitors or activists to embarrass and expose victims.”

It is unclear how common this practice is in the business world. However, a past study conducted by cybersecurity firm Kaspersky found that 40% of businesses hit by a distributed denial of service (DDoS) attack believed that their competitors were behind it. A DDoS attack involves flooding a web server with traffic in order to use up its bandwidth, which stops legitimate users from connecting to the server.

However, hacking attempts launched against businesses have the potential to be far more costly than some downtime. Under the European Union’s General Data Protection Regulation (GDPR), businesses can be fined up to €20m or 4% of global annual turnover for failing to protect user data.

“These days, with GDPR, there is the potential for a significant fine to be levied because of the breach – highlighting it will bring it to the attention of the media and the regulatory authorities, and with that the investigations, allegations and fines,” Bunker said.

Controlling the narrative

Hacking isn’t always about financial gain. Referred to as hacktivism, many times breaches are carried out for socially or politically motivated reasons.

Anonymous is the most widely known hacktivist group, having launched attacks on targets including the Islamic State, the Westboro Baptist Church and businesses such as PayPal and Sony, while groups like Lizard Squad and LulzSec have also attracted attention in recent years.

According to Alashe, contacting the media means that the hacker “takes control of the narrative”, allowing hacktivists to share their reasons for carrying out an attack.

Regarding Gnosticplayers, the hacker has previously alluded to poor security and data handling as a possible motive for his attacks.

“I got upset because I feel no one is learning,” the hacker previously told ZDNet. “I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.”

Then there is also the reputation that it brings in the hacker community. For many, financial gain is “just the bonus that comes with the territory”, Alashe explained.

Gnosticplayers’ willingness to talk to the media, while somewhat unusual, has undoubtedly made him one of the publicly well-known hackers operating at the moment.

“Scores are kept by what other hackers think of your skill and the reputation of the companies you’ve been able to break into, and not necessarily how much money you’ve made,” Alashe said.

“Criminal behaviour, whether online or offline, is still criminal”

Hacktivists may have their reasons for carrying out an attack, but Curry emphasised that, regardless of motive, hacking is still a crime.

“Criminal behaviour, whether online or offline, is still criminal plain and simple,” Curry told Verdict . “We should focus on the hacker of Canva and finding them rather than guessing at motive.”

Canva has confirmed that it is working with cybersecurity experts and organisations such as the FBI in the wake of the breach, as the hunt for the culprit believed to be behind hacks on companies like UnderArmor, MyHeritage,  Mindjolt and GameSalad continues.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

More Relevant

GenAI should factor in data centre design, sustainability

Why lawyers must adopt a comprehensive generative ai strategy, why does gen z demand workplace flexibility, ai and quantum computing to drive six-fold data centre power usage surge in 10 years, warns national grid ceo, sign up to the newsletter: in brief, your corporate email address, i would also like to subscribe to:.

Thematic Take (monthly)

I consent to Verdict Media Limited collecting my details provided via this form in accordance with Privacy Policy

Thank you for subscribing

View all newsletters from across the GlobalData Media network.

139 million users hit in data breach

In May 2019, the company suffered a data breach that affected 139 million customers. The company identified the attack whilst it was ongoing so the perpetrator took to twitter to make their attack public which forced the company into swift damage control mode.

The data exposed included customer usernames, real names, email addresses, passwords and location information. Although customer passwords were breached, all the passwords were encrypted. No credit card details or designs were exposed/accessed in the attack.

In January 2020, the company became aware of a list of approximately 4 million customer accounts containing passwords stolen as part of the May 2019 breach. The attackers 'cracked' (decrypted) the passwords of affected accounts and shared that information online.

Book a consultation

Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:

We've done the analysis so you can make the decisions

$489.99 When purchasing a minimum of 5 Case Studies $699.99 if buying less than 5.

• Detailed cause & effect analysis
• Lessons learnt catalogued
• Preventive controls extracted

• Identity Theft
• Data Breaches
• Data Privacy
• Public Records

What You Need to Know About Canva Data Breach

Table of contents.

• When Was The Canva Data Breach?
• How To Find Out Your Data Breach
• What To Do After Data Breach
• Are There Any Lawsuits Because Of The Data Breach?
• Can My Canva Information Be Used For Identity Theft?
• How To Prevent a Data Breach?
• By David Lukic
• Published: Nov 02, 2021
• Last Updated: Mar 18, 2022

David Lukić is an information privacy, security and compliance consultant at idstrong.com. The passion to make cybersecurity accessible and interesting has led David to share all the knowledge he has.

Related Articles

What is Data Leak and How to Prevent Accidental Data Leakage

Data breaches take many forms, and one of them is through data leak and accidental web exposure. M ... Read More

The Saga of T-Mobile Data Breach: 2013, 2015, 2021 and 2023 Hacks

T-Mobile has experienced a number of data breaches in the past decade. The first case occurred som ... Read More

Anthem Data Breach Exposed 78 Million Records

In the Anthem Data Breach of 2015, hackers were able to steal 78.8 million member’s records. ... Read More

Everything You Need to Know About Insider Data Breach

Data breaches are on the news frequently, but the average person doesn’t really know that mu ... Read More

The NSA Hack, How Did it Happen?

The National Security Agency (NSA) was the main attraction in a major data breach involving three ... Read More

1 in 4 Americans Fall Victim to Identity Theft. Beat the Statistics. Protect Your Information Start by Running a Free Instant Identity Threat Scan

Latest Articles

What is an incident response.

What is an Incident Response? After a bank heist, the work begins with specialized teams and plans engaged, allowing for analysis of the event, and from this analysis, the bank can prepare a response to the incident.

What is a Social Engineering Attack? Techniques and Ways to Prevent

Everyone has received a spam text or email at some point. Their hallmarks are widely known; they often include poor or strange grammar, suspicious links, suggested connections with companies or people, or random individuals asking for help in some capacity.

Side Channel Attack: Everything You Need To Know

Every year, millions of people get victimized by data breaches. Criminals steal their data from the network environments of organizations, vendors, providers, institutions, and governments; with ever-increasing frequency, cybercriminals are making big moves in the cyber wars—and making billions of dollars. 

What is PPP Loan Fraud?

When the pandemic hit in 2020, our world became chaotic overnight. Throughout the nation, individuals were met with layoffs or stringent checks—pushing the financials of families to their breaking points.

Cementitious Vendor—CGM—Network Compromised by 315k Data Breach

Based in Philadelphia, Pennsylvania, CGM is a nationwide cementitious vendor for industries and construction projects. They are a leader in manufacturing, labeling, and distributing custom cement and patching products.

Chattanooga Heart Institute Updates on 2023 Network Cyber Attack

Patients with cardiovascular issues may appear in one of the Chattanooga Heart Institute (CHI) facilities in Tennessee and Georgia.

Oklahoma’s Largest Non-Profit Health System Breached; 2.3 Million Exposures

INTEGRIS Health is the largest non-profit healthcare network in Oklahoma and surrounding regions. The network includes medical and surgical centers, hospitals, emergency rooms, hospice options, addiction recovery programs, and a holistic approach to health and wellness.

Weekly Cybersecurity Recap February 16

This week was particularly active in Cybersecurity—attacks rained upon all states, from the Great Basin of Nevada to the Volcanoes of Hawaii.

462k Hawaiians and Patients Exposed by Health Network Cyberattack

Navvis & Company is a comprehensive healthcare network throughout the US, including Hawaii. They offer scalable healthcare services that push patients towards their health and wellness goals while supporting providers' roles to achieve those milestones.

National Vascular Care Provider Confirms Cyber Attack; 348k Exposures

Azura Vascular Care operates a national network of health and wellness centers. They specialize in minimally invasive procedures and strive to treat vascular conditions in comfortable, out-patient settings.

PJ&A Transcription Releases Update; 13.3 Million Exposures from 2023 Breaches

Perry Johnson & Associates (PJ&A) is a medical transcription organization based in Nevada. Since the public learned about PJ&A's breach, we have featured it whenever large healthcare networks have announced data breaches stemming from their incident and when officials present updates.

Connecticut College Announces Breach Investigations from March 2023

Connecticut College (CC) is a private campus institution in New London, CT; initially opened as a women's college, the institution today serves a 2k-student population and offers more than 40 degree programs.

Massive Renal Care Network Announces Breach via HealthEC’s 2023 Incident

U.S. Renal Care (Renal) is a 32-state, 400-location, 26k-patient healthcare provider primarily concerned with kidney disease and longevity; Renal offers in-facility and at-home dialysis solutions.

Weekly Cybersecurity Recap February 9

This week, around 643k data records were announced as lost in the cyber wars. Early on, the public learned of HopSkipDrive's event, which impacted 155k student guardians.

Credit Union Struggles Following Ransomware; SSNs of 61k Stolen

The Bayer Heritage Federal Credit Union has headquarters in West Virginia. Like other unions, they offer various services that assist members in saving and investing no matter their life phase.

Retirement & Life Insurance Provider Responds to Application Disruptions

Infosys McCamish Systems (IMS) is a subsidiary of Infosys, a global outsourcing organization. IMS is primarily concerned with delivering life insurance and retirement solutions for clients of Infosys.

Verizon Employee Data Compromised

Verizon is a top-performing communications organization with clients and influence worldwide. They offer various electronic services, including physical technology, Internet services, entertainment programs, communications plans, etc.

Orthopaedic Surgeon Group Breached by Vendor Cyberattack; 307k Exposed

Des Moines Orthopaedic Surgeons, P.C. (DMOS) has three clinics throughout Iowa's capital; they offer comprehensive solutions for ortho-care, from joints to extremities and MRI imaging to outpatient surgery.

Bankers Life—Retirement Solutions Provider—Faces Member Data Breach

Bankers Life and Casualty Company (Bankers) is a nationwide retirement solutions provider. Their services assist members in maintaining and stretching their retirement income, paying for health and treatment programs, finding excellent retirement care, and assisting families with final expenses.

Education Transport and Ride Share Organization Updates on 155k Breach

HopSkipDrive is an education solution that assists guardians with their unique transportation needs; from planning bus logistics to utilizing live ride-share options, HopSkipDrive is a family's best resource for education transportation.

GEICO Finds Employee Personal Data Exfiltrated via 2023 MOVEit Breach

The Government Employees Insurance Company (GEICO) is a privately owned insurance group with 70 branches in the US. They provide insurance plans for all aspects of life, including auto, motorcycle, travel, pet, homeowner, renter, and jewelry options.

Weekly Cybersecurity Recap February 2

This week started with a cyber event targeting a Californian insurance brokerage, Keenan & Associates; the assailants garnered over 1.5 million records from the attack.

ITRC 2023 SMB Impact Report; Experts Predict Fraud Tsunamis in 2024 and Beyond

The Identity Theft Resource Center (ITRC) is a non-profit organization that minimizes and mitigates the risks of identity threats.

Mortgage Lender Breached, 200k Exposed by LockBit’s Citrix Bleed

Planet Home Lending (PHL) is a real estate and homeowner agency that assists consumers in finding and financing lasting homes.

Understanding Key Differences of IOA and IOC in Cybersecurity

Effectively responding to cyber threats is all about speed and information. Defense specialists must react quickly to repel attacks and mitigate damages.

Understanding Transport Layer Security (TLS) and Its Mechanisms

We don't think about it much, but moving data from our devices to various online locations is a complex process. It's just a single click for us but involves countless communications between servers.

Inside A Zero Day Vulnerability: What to Know for Cybersecurity

Zero-day vulnerabilities have transformed into something of a boogeyman for business owners. They represent a significant threat to sensitive information and assets but are extremely challenging to respond to.

How to Check If Someone Is Using My Identity

Nowadays, digital transactions and virtual interactions aren't exactly optional. People can't keep their information off the web due to professional reasons, and many processes are exponentially more convenient through an online profile.

Another Insurance Broker Breached; 1.5 Million Consumers Compromised

A Californian insurance brokerage offering insurance and budgetary solutions for schools, community agencies, and healthcare organizations—Keenan & Associates, has announced a significant data breach.

Experts Discover Compilation Database Storing 26 Billion Leaked Records

Security Discovery is a cyber risks analyst and solution provider. They are an industry leader with a significant track record of discovering data breaches overlooked by their competitors.

Weekly Cybersecurity Recap January 26

This week in cybersecurity saw billions of records fall into the hands of criminals. The week began with a report of 132k records compromised from an Indiana healthcare system.

National Brokerage Agency Breached in Oct 2023 Attack; 105k Records Exposed

First Financial Security, Inc. (FFS) is a nationwide insurance brokerage agency that assists insurance representatives in training, equipment, and licensing.

Massive 344k Record Data Breach Following Credential Stuffing in Texas

Photo by loganrickert licensed under CC BY 2.0 DE Deli Management, Inc. does business as Jason's Deli. It is an organization with over 250 deli shops located in 28 states.

LoanDepot Updates on Cyberattack; 16.6 Million Potentially Compromised

Based in Irvine, California, LoanDepot is a nationwide mortgage lender. Their solutions assist homeowners in purchasing land and obtaining reasonable equity costs.

Weekly Cybersecurity Recap January 19

This week was slow in the cybersecurity breach world; a combined 775k records got exposed stemming from two health centers (Singing River Health and Harris Center for Mental Health and IDD) and a nationwide mortgage lender (Academy Mortgage Corporation); a communications security solution (Egress) released a risk report urging action of business leaders; and Kansas State University suffered widespread disruptions, potentially compromising the sensitive data of their students and faculty.

Cyberattack Darkens Kansas State University, Network Disruptions Rampant

Kansas State University (K-State) is below Tuttle Creek Lake in northeast Kansas. The university serves 20,000 students, employs a complex faculty of emeritus, postdocs, and graduates, and offers over 50 programs.

Traditional Email Security is Failing; Business Leaders Must Evolve

Egress Software is a cybersecurity firm specializing in digital communications. They analyze security risks within emails, messaging, documents, file-sharing gateways, and more.

Academy Mortgage Faces Disruptions; Employee and Borrower Data Compromised

Academy Mortgage Corporation (AMC) is a nationwide mortgage lender and home loan estate professional group. The organization has over 200 branches throughout the US and numerous loan, mortgage, and financing options.

Singing River Health Strangled by Network Ransomware Encryptions

Singing River Health System (SRHS) is a healthcare network located in the tail of Mississippi (and northern Alabama). They provide a comprehensive network of medical services for residents, including cancer, emergency, hospice, pediatrics, and urgent care.

Mental Health Center Targeted by Disruptions, Quarter of a Million Exposures

The Harris Center for Mental Health and Intellectual and Developmental Disabilities (IDD) has six regional locations and assists those with behavioral health and developmental needs.

Blue’s NASCO Updates: 1.6 Million Records Exposed by MOVEit

NASCO provides various healthcare solutions to serve Blue Cross and Blue Shield members. They offer a comprehensive portfolio of services and use industry insights to project the needs of their 20 million clients.

Weekly Cybersecurity Recap January 12

This week's featured cyber incidents included a combined 2.3 million, although one event remains under investigation. The week began with an update from the Edmonds School District regarding their January 2023 breach, which exposed 145,844 individuals.

Cooper Aerobics Network Targeted by Cyber Incident, 90k Exposures

Cooper Aerobics is a health and lifestyle entity concerned with providing comprehensive wellness solutions. As a business organization, their brand includes The Cooper Institute, a Clinic, a Fitness Center, a Spa, a Vitamin line, Wellness Strategies, and a Hotel.

Medical Services Targeted: Half a Million Records Stolen in May 2023 Cyber Event

Electrostim Medical Services Inc. (EMSI) is a healthcare servicer in Tampa, Florida. They create and disperse home electrical stimulation devices, brace accessories, pain management solutions, and physical rehabilitation tools.

Another Mortgage Lender Embattled; LoanDepot Faces Disruptions

LoanDepot is one of the nation's most widespread nonbank mortgage lenders, offering financial solutions and opportunities to homeowners.

School District Updates on Event: Victim Number Continues to Rise

Edmonds School District (ESD) is in south Snohomish County, Washington. The district involves 35 schools, including Brier, Edmonds, Lynnwood, and Woodway institutions.

Half a Million Patients Exposed in North Kansas Hospital Vendor Breach

The North Kansas City Hospital (NKCH) is just north of the Missouri River in North Kansas City, Missouri. The hospital boasts a considerable campus with 450 beds and over 100 more physicians.

Weekly Cybersecurity Recap January 5

This week, 2024, started with destructive numbers. Transformative Healthcare was featured early on; their breach happened in February 2023 and may impact over 900k people, including patients and former FAS employees.

What is an EMV Chip Card, and How Does it Store Your Data?

For over a decade, the magnetic stripe was the authentication tool behind modern-day credit cards. Magnetic stripe technology was developed in the late 1960s, but it took time before widespread use.

Integris Health’s Breach—Oklahoma Patients Extorted, Jan. 5th Deadline

Image: "INTEGRIS Grove Hospital" by Todd Stogner, CC BY-SA 3.0. Integris Health is one of Oklahoma's largest medical networks; they operate hospitals, clinics, and urgent care from their 24 non-profit campuses.

Hundreds of Thousands of Records Stolen from Washington Cancer Center

Fred Hutchinson Cancer Center (FHCC) is a three-location care network that delivers solutions for cancer patients. They are an independent organization that provides experience for the University of Washington's Medicine programs.

Boston-Based Community College, Bunker Hill, Updates on 2023 Ransomware Event

Bunker Hill Community College (BHCC) serves a population of about 13,000 across two campuses and dispersed locations. BHCC offers over 100 degrees, including arts, sciences, business, health, law, and STEM opportunities.

The First Breach of 2024: Transformative Healthcare; Data Stolen from +900k Victims

Photo by Mangocove under CC BY-SA 4.0 DEED Our first breach report of 2024 concerns Boston's retired Fallon Ambulance Service (FAS).

Paramount Parent Company, National Amusements, Announces Data Breach a Year Later

National Amusements (NA) is in Norwood, Massachusetts. They are the majority shareholder for media sources, including CBS, Viacom, and Paramount.

Weekly Cybersecurity Recap December 29

This week caps off our year of cyber breaches; in this week alone, we saw millions of records stolen, targeted health providers, mortgage servicers crumble, and the return of a year-old breach.

Fidelity’s LoanCare Announces 1.3 Million Borrowers’ Records Exfiltrated

LoanCare is a sub-servicing entity that assists mortgage loan providers with finance and data functions; they service over 1.5 million customers across the states and beyond.

112k Records Stolen from Population Health Analytics Platform, HealthEC

HealthEC (HEC) is an analytics and AI-assisted solution that siphons all relative information about patients into cohesive packages.

Welltok’s MOVEit Breach Continues; Another 2 Million Records Harvested

Welltok provides a multi-use platform allowing institutions and individuals to manage their health and well-being. It is a third-party solution that caters to clinics, health networks, industry leaders, and private clinics.

Ransomware Criminals Steal 2.7 Million Records from Emergency Software

ESO Solutions is a primary software developer and analytics platform for emergency and associated services; its programs connect emergency response agencies, fire departments, hospitals, and state response offices.

Xfinity Writhes; 36 Million Records Breached via Vendor Vulnerability

Xfinity is the name of Comcast Communications' internet, TV, and phone service; it is the most significant cabled internet service in the states, with more than 32 million residential customers.

Weekly Cybersecurity Recap December 22

This week was devastating for data breaches. Across the US, cybercriminals stole the information of 58.4 million consumers, patients, and students.

Exploring the Pros and Cons of Purchasing Cryptocurrency with PayPal Wallet

The explosive growth of cryptocurrencies was nothing short of extraordinary. Even the most doubtful among us couldn't help but put a few dollars in to see what would happen.

Best Practices to Prevent E-commerce Fraud

Roughly 20 percent of all retail sales occur online. This statistic may sound lukewarm now, but e-commerce is rapidly becoming the lion's share of global transactions.

Embezzlement: Definitions and the Anatomy of Financial Fraud

Embezzlement is an internal crime that someone commits against their organization. The perpetrator's inside knowledge helps them avoid detection and clean up the evidence.

MOVEit Claims 7 Million More; Patients of Delta Dental of California and Others

Delta Dental of California (DDC), Delta Dental Insurance Company, Delta Dental of Pennsylvania, and other subsidiaries may have exposed data; the compromised data is not a product of the organizations.

New Details Provided for 270k Records Leaked in National Student Clearinghouse MOVEit Event

The National Student Clearinghouse (NSC) is a provider of comprehensive skill sets; they work to better prepare students for success through grade school and during the transition into the workforce.

14.7 Million Homeowners Exposed in Nationstar Mortgage/Mr. Cooper Event

We reported on Mr. Cooper—one of the nation's largest mortgage providers—a month ago. Mr. Cooper was featured as they dealt with the throws of a cybersecurity event.

Welltok’s MOVEit Breach Returns; Data Stolen from 17 West Virginia Hospitals

The West Virginia University Health System (WVUHS) contains multiple institution locations, hospitals, and clinics. Welltok is a communications platform that allows patients and physicians to speak while encouraging healthy lifestyles.

Cybercriminals Target the Heart of Arizona; 484k Records Stolen from Cardiovascular Group

In the Valley of the Sun, Cardiovascular Consultants Ltd. (CVC) provides clinical, surgical, and consultation services; the Phoenix-based cardio group serves 11 of the region's hospitals—offering a range of assistance for patients and physicians.

Weekly Cybersecurity Recap December 15

This week, cybercriminals again targeted US medical records and patient identities. The attacks started with a 2.5 million record breach from Kentucky's Norton Healthcare circuit, including data from pediatric patients.

Assailants Attack Illinois Medical Center; 147k Patient Records Stolen

Southern Illinois Healthcare oversees the operations of Harrisburg Medical Center (HMC), a not-for-profit community hospital with over 70 beds and 140 physicians.

Oregon Healthcare Provider Suffers Employee Email Data Breach

In Oregon, the Neuromusculoskeletal Center of the Cascades and Cascade Surgicenter collectively are "The Center. " The professionals that work there are highly trained doctors from many fields, including physiatry, occupational medicine, neurosurgical, and orthopedic care.

Anheuser-Busch Distributor, Ben E. Keith, Network Breach Update

"The Ben E. Keith East Texas Division in Commerce, Texas (United States)" by Michael Barera is licensed under CC BY-SA 4.0. Source: Wikimedia Commons

Ransomware Hits Kentucky Healthcare Network, Exposing Data of 2.5 Million

Norton Healthcare consists of over 430 locations between Kentucky and Indiana. The clinics meet over two million a year, including adult and pediatric patients.

Experts Urge Complete Cybersecurity Defense—2.6 Billion Records Exposed by Cyberattacks in 2 Years

Cybersecurity breaches are at epidemic proportions; in the last two years, cybercriminals have stolen over 2.6 billion consumer records from thousands of organizations.

Weekly Cybersecurity Recap December 8

This week's data breaches contained significant impact figures from around the world. Malware on a vendor's computer inadvertently breached Japan's Line Messenger.

Health Organization Records Stolen via Welltok’s MOVEit - 930k+ Including Minors

The number of victims caused by the global MOVEit data breach continues to climb; Welltok has announced more exposures, this time from three more health organizations.

MOVEit Breach Creates More Victims; 105k Records Stolen from Insurance Group

"Pan American Life Insurance Group Building - New Orleans" by Tony Webster is licensed under CC BY 2.0. Source: Flickr

New York Healthcare Provider Notified 600k Following Network Cyberattack

East River Medical Imaging (ERMI) has three locations in New York City and Westchester County.  ERMI is a "multi-modality radiology center," including patient-centered solutions like MRIs, CTs, ultrasounds, imaging, radiology, fluoroscopy, and x-rays.

Japan’s Line Messenger Embattled; 440,000 at Risk for Exposure

Line Messenger is a communication app that allows users to communicate for free by sending messages and making voice calls. Japan's mega-corporation, LY Corp.

Family Dollar & Dollar Tree Bleed Consumer Data Following Cyberattack

In 2015, Family Dollar acquired its biggest competitor, Dollar Tree. Family Dollar is one-half of a consumer's dream; they offer low-priced goods for families in 8,200 locations nationwide.

Weekly Cybersecurity Recap December 1

This week, cybercriminals targeted health lifestyle members, patients, gamblers, and general consumers. Early on, Welltok returned to the news, this time with over 426k member data stolen by assailants; the organizations impacted by the breach were Premier Health and Graphic Packaging International.

Caesars Entertainment Breach Update, Millions of Gambler Records Compromised

Caesars Entertainment (CE) oversees 58 gaming properties across the continental states. Their locations include world destinations, nightlife activities, a comprehensive concierge, and an industry-leading approach to draw millions of gamblers weekly.

1.9 Million Records Stolen from Human Resource Analytics Company Zeroed-In

Zeroed-In Technologies offers curated human resource solutions and analytics to organizations. Among those who use their services are the City of Detroit, Dollar Tree, Family Dollar, and the U.S. Department of Defense.

Hackers Breach North Carolina’s RHCC; Over 60,000 Patients Suffer Data Loss

Robeson Health Care Corporation (RHCC) is a healthcare network serving North Carolina residents. They offer behavioral, dental, general, and outreach services in nine locations across six counties.

Welltok’s MOVEit Breach Returns, Another 426k Records Exposed

Welltok operates an online wellness program various organizations use to encourage healthy lifestyles. They've been in our news frequently as the global MOVEit breach continues.

Weekly Cybersecurity Recap November 24

This week, the cybersecurity environment continued to be rocked by the global MOVEit data breach. Various Stanford Health groups had information taken in the MOVEit event, up to 1.6 million patient records.

Work Management Company NSC Tech, Suffers 50k Employee Record Breach

NSC Technologies is a workforce management solution pairing perfect prospective candidates with companies desiring long-term employees.

Delaware Life Insurance MOVEit Breach Exposes Producer and Client Data

Group 1001 is the parent company of Delaware Life, a long-term financial consultant for organizations. Delaware Life uses a third-party vendor, Pension Benefit Information (PBI), for analysis and research services.

MOVEit Vulnerability Victimizes AutoZone, 185k Records Stolen

AutoZone is a vehicle parts replacement provider and servicer. Hosting over 5,300 stores across North America alone, AutoZone is a recognizably local option for car owners stateside.

Finance Solutions Provider Systems East Suffers 200k+ Data Breach

Based in Central New York, Systems East, Inc. , is a finance, billing, and payment solution for commercial software products.

Stanford Health Network Announces MOVEit Breach

Stanford Health Care Alliance encompasses children's hospitals, care plans, medicine partners, scholars, and the Stanford University faculty.

Weekly Cybersecurity Recap November 17

Breaches were rampant this week, impacting as many as 15 million individuals. The State of Maine announced that it bled 1.3 million resident records due to the global MOVEit vulnerability.

Department of Health Confirms Nearly 9 Million Patients Exposed by PJ&A

Perry Johnson & Associates (PJ&A) is a medical transcription service assisting providers like Cook County Health and Northwell Health.

TruePill Data Breach Exposes 2.3 Million Patients, Class Action Begins

Digital startup PostMeds Inc. , operating as TruePill, is an online pharmacy service based in California. The company allows patients to compare copay pricing, get status notifications on pill orders, and request refills.

Identity Theft Reporting Guide: Key Steps to Protect Your Identity

Identity theft is a real and distressing crime that's becoming a greater risk as more sensitive data moves to online locations.

What is ETL: Full Guide to Extraction, Transformation, and Loading

Everyone's heard some form of the age-old adage, "Information is power. " Today, managing data is what gives organizations huge advantages over their competitors.

BlackCat’s McLaren Health Care Data Breach Exposes 2.2 Million Patients

McLaren Health Care is a network of 13 hospitals and three clinics serving the residents of north and central Michigan. They care for more than 732k lives by providing various services and network solutions, including a national cancer institute.

City of Huber Heights Targeted by Ransomware Attack Sunday

The City of Huber Heights is in east Ohio, north of Dayton. The suburban area has a population of around 50,000, but other populated areas are nearby.

Data Pipelines Explained: Definition and Varieties

In 2021, the average American spent over 8 hours on the internet daily. This screen time includes everything from streaming video, scrolling social media, and browsing the web.

Featured Articles

How to buy a house with bad credit.

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

What is the Dark Web: Things You Need To Know Before Accessing The Dark Web

The dark web, also known as the "darknet", is a portion of the internet that lies outside the boundaries of traditional search engines.

Secure Wi-Fi and Wireless Technology Security Tips

Your Wi-Fi network is another handy access point that hackers use to infiltrate your computers, steal your identity, and grab your personal details.

Adult Friend Finder Hacked, 412 Million Accounts Exposed

Six databases that were owned by Friend Finder Networks, Inc. suffered a massive data breach in 2016, which cost 412 million users their accounts.

How to Erase Yourself from the Internet

In this highly digital age, it is near impossible to erase all information online about yourself, but you can do a lot to remove online information and minimize your risk of identity theft or worse. 

Credit Freeze vs. Lock: What’s the Difference?

With all our technology and connectedness comes a price, vulnerability. Now more than ever before, our credit and identities are at risk from cybercriminals, thieves, and hackers.

Blog Privacy & Identity Protection Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

Internet Security

Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

May 29, 2019

Online graphic design tools are extremely useful when it comes to creating resumes, social media graphics, invitations, and other designs and documents. Unfortunately, these platforms aren’t immune to malicious online activity. Canva, a popular Australian web design service, was recently breached by a malicious hacker, resulting in 139 million user records compromised .

So, how was this breach discovered? The hacker, who goes by the name GnosticPlayers, contacted a security reporter from ZDNet on May 24 th  and made him aware of the situation. The hacker claims to have stolen data pertaining to 1 billion users from multiple websites. The compromised data from Canva includes names, usernames, email addresses, city, and country information.

Canva claims to securely store all user passwords using the highest standards via a Bcrypt algorithm . Bcrypt is a strong, slow password-hashing algorithm designed to be difficult and time-consuming for hackers to crack since hashing causes one-way encryption. Additionally, each Canva password was salted, meaning that random data was added to passwords to prevent revealing identical passwords used across the platform. According to ZDNet, 61 million users had their passwords encrypted with the Bcrypt algorithm, resulting in 78 million users having their Gmail addresses exposed in the breach.

Canva has notified users of the breach through email and ensured that their payment card and other financial data is safe. However, even if you aren’t a Canva user, it’s important to be aware of what cybersecurity precautions you should take in the event of a data breach. Check out the following tips:

• Change your passwords. As an added precaution, Canva is encouraging their community of users to change their email and Canva account passwords. If a cybercriminal got a hold of the exposed data, they could gain access to your other accounts if your login credentials were the same across different platforms.
• Check to see if you’ve been affected.  If you’ve used Canva and believe your data might have been exposed,  use this tool  to check or set an alert to be notified of other potential data breaches.
• Secure your personal data.  Use a security solution like  McAfee Identity Theft Protection . If your information is compromised during a breach, Identity Theft Protection helps monitor and keep tabs on your data in case a cybercriminal attempts to use it.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow  @McAfee_Home  on Twitter, listen to our podcast  Hackable? , and ‘Like’ us on  Facebook .

Introducing McAfee+

Identity theft protection and privacy for your digital life

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

We're here to make life online safe and enjoyable for everyone.

More from Privacy & Identity Protection

Guide: Protecting Your Digital Identity

Mar 28, 2024   |   7 MIN READ

Phishing for W-2s: Keeping Your Financial Data Safe During Tax Season

Mar 25, 2024   |   7 MIN READ

5 Things About Doxing You Should Know

Mar 13, 2024   |   8 MIN READ

15,000+ Roku Accounts Compromised — Take These Steps to Protect Yourself

Mar 12, 2024   |   6 MIN READ

What are Pig Butchering Scams and How Do They Work?

Mar 08, 2024   |   13 MIN READ

The What, Why, and How of AI and Threat Detection

Mar 07, 2024   |   6 MIN READ

How to Identify and Protect Yourself From Venmo Scams and Other Cash App Scams

Mar 06, 2024   |   7 MIN READ

Cookie Theft: How to Keep Cybercriminals Out of Your Accounts

Mar 05, 2024   |   5 MIN READ

Hybrid Workplace Vulnerabilities: 4 Ways to Promote Online Safety

Mar 01, 2024   |   5 MIN READ

What is Sora and What Does It Mean for Your Personal Internet Security?

Feb 27, 2024   |   4 MIN READ

Introducing Social Privacy Manager

Feb 25, 2024   |   8 MIN READ

Online Banking—Simple Steps to Protect Yourself from Bank Fraud

Feb 20, 2024   |   8 MIN READ

• Dynamic Application Security Testing
• API Security Testing
• Penetration Testing - PT
• Banking, Financial Services, and Insurance
• Internet Companies
• Governments & Ministries
• The Fortune Global - 500 & 2000
• Cybersecurity Jargons
• Infographics
• Whitepapers
• Case Studies

Canva Data Breach - A Lesson For Budding Businesses

A data breach can gravely harm the reputation of any business and also hurt the sentiments of the users whose information gets exposed. The matters may become even worse if the aftermath of the incident is not handled decisively. Last week, the Australian tech giant Canva reported a major data breach that left the entire online community in shock.

Canvas Security Breach - What actually happened?

In this major cybersecurity incident, the attacker stole records of over 139 million Canva users and the exposed data included real names, usernames, email addresses, and other sensitive personal information of users.

However, the email passwords that were stolen with other data were heavily encrypted using the Bcrypt algorithm, and they wouldn’t be compromised. The dates of birth and home addresses of the users were also safe.

Soon after the breach was confirmed, the authorities at Canva urged their users to change passwords as a precautionary measure.

Launched in 2012, the Sydney-based graphic design unicorn has a user base of millions of users in almost 179 countries across the globe.

The hacking incident was reported on 24th May by an official from ZDNet. The official then asked for a sample dataset to verify the hack and received the personal data of around 17,000 users. Later, Canva also confirmed the authenticity of the breach. The alleged hacker behind this attack goes by the name GnosticPlayers and is highly infamous for his online crimes.

Since the beginning of 2019, this hacker has claimed to have stolen the data from around 1 billion users of about 44 major online companies and has put up that data for sale on the dark web.

The hacker stole the passwords of nearly 61 million users, but fortunately, they were encrypted with one of the most secure hashing algorithms - Bcrypt. The hacker also stole Google Tokens, which were used by numerous users to sign in to their accounts without setting up passwords.  

MUST READ: Exclusive Insights On Sustainable Growth For SaaS Businesses Through Security Best Practices

Canva’s Response To the data-leak: What Startups Should Learn

The last few weeks were more like a roller coaster ride for the Australian company. Since its launch, Canva has become the primary choice of users in the online design market and currently ranks #170 in the Alexa website traffic ranking.

In the past week, the company also raised almost $71 million in its Series D funding and was valued at a whopping $3.5 billion, making it one of the fastest-growing Australian tech startups. The company also acquired two free photography sites named Pexels and Pixabay recently.

Everything was running smoothly until the data breach news came in. And, after the breach was detected by the Canva officials on 24th May, the manner in which the company communicated the incident to its users, raised some serious questions.  

Instead of focusing on the breach news, Canvas's initial communication email to its customers centered on the company’s recent acquisitions and achievements. The wording and structure of the email were heavily criticized by security experts on several social media platforms. 

Hey @lizmckenzie and the @canva team this is not how you start an email telling your customers you've been breached. #infosec #fail pic.twitter.com/XJdB3xcWEl — Dave Hall (@skwashd) May 25, 2019

The critics accused Canva of marketing its brand achievements rather than being focused on the real data security issue. After the harsh feedback, the company corrected its mistake and issued another email that focused only on the breach issue.

The budding startups have a significant lesson to learn from this incident. As new businesses grow in size and scale, the risks related to cybersecurity also increase and so do the chances of getting breached. Companies should make thorough action plans and strategies for scenarios like these and try to be as straightforward as possible while explaining the criticality of such incidents to their users.

The temptation to soften the gravity of the issue by expressing it otherwise might make the situation even more complicated, and that is why it is better to share the right information at the right time with the concerned users.

It is essential to keep the stakeholders acquainted and updated about the crisis and consistently address their queries in times like these. Following the best cybersecurity practices from the beginning will undoubtedly go a long way.        

Businesses security Startups Cybersecurity Password Canva Data Breach

Keep the momentum going!

Continue reading by signing up with your email.

DISCOVER MORE

March 28, 2024

Choosing the Best Mobile Application Security Testing Tool in 2024

March 21, 2024

A Complete Guide to NIST Compliance 2024

February 28, 2024

Why MobSF Isn’t Ideal for Application Security Testing?

Gartner and g2 recommends appknox | see how we can help you with a free demo, similar blogs.

Top 10 Data Breaches of 2022 (So Far...)

As we are in the midst of the October Cybersecurity Awareness Month of 2022, all of us need to be more cautious than ...

How Healthcare Can Combat Cybercrimes? | Appknox

One of the most crucial things for the healthcare sector during the ongoing global pandemic, amidst many other ...

How Caching Sensitive Data Can Lead to the Downfall of Your Business

Smart apps have been built primarily to provide consumers with enthralling functionalities which encourage convenience, ...

Using Other Product?

2 Weeks Free Trial!

Appknox is the worlds most powerful plug and play security platform which helps Developers, Security Researchers and Enterprises to build a safe and secure mobile ecosystem using a system plus human approach to outsmart smartest hackers.

Subscribe to our newsletter

• Start Free Trial
• Book a Demo
• Switch to Appknox
• Partner with Appknox
• Privacy Policy
• Static application security
• Dynamic application security
• Case studies

Copyright © 2024 Appknox, Xysec Labs