Canva 2019 data breach: Difference between revisions

(4 intermediate revisions by 4 users not shown)

Line 3:

On May 24, 2019, [[Canva]] identified their systems were attacked and posted an announcement about the breach, urging users to change their passwords. 139 million users were affected, and information taken includes usernames, real names, email addresses, and location. 61 million users' data included password hashes, and for other users, [[Google]] tokens were taken. Seven months later, on the 11th of January 2020, Canva became aware of 4 million user passwords had been decrypted and shared online. Following the discovery, on the 12th of January Canva has forcefully reset the password of every user that had not changed it since the date of the incident.

==Background==

==[Incident]==

The attack was linked to a group known as GnosticPlayers.<ref>{{Cite web|url=https://www.packtpub.com/en-us/learning/how-to-tutorials/canva-faced-security-breach-139-million-users-data-hacked-zdnet-reports|title=Canva faced security breach, 139 million users data hacked: ZDNet reports|first=Fatema|last=Patrawala|work=Packt|date=2019-05-28|access-date=2026-04-27}}</ref> The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking.<ref>{{Cite web |last=Minh Hieu Nguyen Ba |last2=Bennet |first2=Jacob |last3=Gallagher |first3=Michael |last4=Bhunia |first4=Suman |title=A Case Study of Credential Stuffing Attack: Canva Data Breach |url=https://ieeexplore.ieee.org/document/9799087 |url-status=live |website=[[IEEE Xplore]] |publisher=[[IEEE]]}}</ref> Passwords were hashed with bcrypt; however, they were later decrypted.

The data exfiltrated from the breach included: email addresses, real names, cities and countries of residence, public profile data, and partially hashed passwords (for users logged in directly with Canva, not externally). Payment data was not accessed.

===[Company]'s response===

Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.<ref>{{Cite web |last=Danielson |first=Lizzie |date=2025-11-14 |title=Canva Data Breach |url=https://www.huntress.com/threat-library/data-breach/canva-data-breach |url-status=live |website=[[Huntress]]}}</ref>

==Lawsuit==

==Consumer response==

==References==

[[Category:Canva]]

[[Category:2019 incidents]]

@@ Line 3: / Line 3: @@
 On May 24, 2019, [[Canva]] identified their systems were attacked and posted an announcement about the breach, urging users to change their passwords. 139 million users were affected, and information taken includes usernames, real names, email addresses, and location. 61 million users' data included password hashes, and for other users, [[Google]] tokens were taken. Seven months later, on the 11th of January 2020, Canva became aware of 4 million user passwords had been decrypted and shared online. Following the discovery, on the 12th of January Canva has forcefully reset the password of every user that had not changed it since the date of the incident.
-{{IncidentPreload}}
+==Background==
+{{Ph-I-B}}
+==[Incident]==
+The attack was linked to a group known as GnosticPlayers.<ref>{{Cite web|url=https://www.packtpub.com/en-us/learning/how-to-tutorials/canva-faced-security-breach-139-million-users-data-hacked-zdnet-reports|title=Canva faced security breach, 139 million users data hacked: ZDNet reports|first=Fatema|last=Patrawala|work=Packt|date=2019-05-28|access-date=2026-04-27}}</ref> The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking.<ref>{{Cite web |last=Minh Hieu Nguyen Ba |last2=Bennet |first2=Jacob |last3=Gallagher |first3=Michael |last4=Bhunia |first4=Suman |title=A Case Study of Credential Stuffing Attack: Canva Data Breach |url=https://ieeexplore.ieee.org/document/9799087 |url-status=live |website=[[IEEE Xplore]] |publisher=[[IEEE]]}}</ref> Passwords were hashed with bcrypt; however, they were later decrypted.
+The data exfiltrated from the breach included: email addresses, real names, cities and countries of residence, public profile data, and partially hashed passwords (for users logged in directly with Canva, not externally). Payment data was not accessed.
+===[Company]'s response===
+Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.<ref>{{Cite web |last=Danielson |first=Lizzie |date=2025-11-14 |title=Canva Data Breach |url=https://www.huntress.com/threat-library/data-breach/canva-data-breach |url-status=live |website=[[Huntress]]}}</ref>
+==Lawsuit==
+{{Ph-I-L}}
+==Consumer response==
+{{Ph-I-ConR}}
+==References==
+{{reflist}}
+[[Category:Canva]]
+[[Category:2019 incidents]]