Data breach in Canva; over 100 million users were affected

Web application security testing specialists reported a data breach incident in Canva, a web design platform developed in Australia; a malicious actor claims to have compromised the security of the platform to steal information belonging to about 139 million users.

According to the reports, the extracted information includes:

  • Users’ full names
  • Website usernames
  • Email addresses
  • Users’ country and city of residence

Although a data breach will never be good news, not everything is lost to Canva, as the passwords of the email addresses of users had the protection of an algorithm, known as Bcrypt, which, according web application security testing specialists, it’s almost impossible to decrypt.

The first person to talk about the incident was the hacker himself, known under the pseudonym ‘GnosticPlayers‘, the same threat actor that in the past months claimed to have stolen data from millions of people through multiple compromised websites. The hacker would have contacted some specialists to inform them of his crime.

Subsequently, a representative of Canva recognized that the company had suffered a security breach that allowed unauthorized access to various personal details of users, such as username and email address.

Through a statement, Canva mentioned: “All passwords of our users are stored safely, because we adhere to the highest standards of information protection. However, we will continue to monitor the situation as an additional security measure”.

Web application security testing experts recommend Canva users to reset their password; also, if you use the same keywords on other platforms, it’s best to change your password on other websites. Canva users can also access the platform through their Facebook or Google accounts; the passwords of these platforms stored by Canva are not part of the list of data compromised by the hacker.

According to the specialists from the International Institute of Cyber Security (IICS), Bcrypt is a password hashing algorithm designed to hinder the work of hackers; in addition, each Canva user password has additional random characters that increase the complexity for hackers to decrypt them.