Hacker has designs on Canva data, steals info belonging to 139M users

News by Bradley Barth

Exposed data included usernames, email addresses, encrypted passwords, actual customer names and city and country information

The graphic design website Canva was hacked last Friday, reportedly compromising the data of approximately 139 million users.

According to an online support page, the Sydney-based company detected the attack while in progress on 24 May, and immediately took action to fix the cause of the breach.

Exposed data included usernames, email addresses, and encrypted passwords, which were salted and hashed with the bcrypt algorithm. Actual customer names and city and country information were also accessed, according to ZDNet, which was contacted by the hacker.

"I download everything up to 17 May," the hacker reportedly said. "They detected my breach and closed their database server." The report identifies the culprit as Gnosticplayers, a hacker that so far this year has attempted to hawk the stolen data of nearly one billion online accounts, via a dark web marketplace.

Customer designs and payment card information were not impacted, Canva’s team announced. "Our teams have been working around the clock to investigate the attack and communicate with our customers," the company statement reads.

"We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers."

Canva also said it is engaging with both forensic experts and the US law enforcement authorities, including the FBI.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop