Canva 2019 data breach: Difference between revisions

(3 intermediate revisions by 3 users not shown)

Line 7:

==[Incident]==

The attack was linked to a group known as GnosticPlayers.<ref>{{Cite web|url=https://www.packtpub.com/en-us/learning/how-to-tutorials/canva-faced-security-breach-139-million-users-data-hacked-zdnet-reports|title=Canva faced security breach, 139 million users data hacked: ZDNet reports|first=Fatema|last=Patrawala|work=Packt|date=2019-05-28|access-date=2026-04-27}}</ref> The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking.<ref>{{Cite web |last=Minh Hieu Nguyen Ba |last2=Bennet |first2=Jacob |last3=Gallagher |first3=Michael |last4=Bhunia |first4=Suman |title=A Case Study of Credential Stuffing Attack: Canva Data Breach |url=https://ieeexplore.ieee.org/document/9799087 |url-status=live |website=[[IEEE Xplore]] |publisher=[[IEEE]]}}</ref> Passwords were hashed with bcrypt; however, they were later decrypted.

The data exfiltrated from the breach included: email addresses, real names, cities and countries of residence, public profile data, and partially hashed passwords (for users logged in directly with Canva, not externally). Payment data was not accessed.

===[Company]'s response===

Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.<ref>{{Cite web |last=Danielson |first=Lizzie |date=2025-11-14 |title=Canva Data Breach |url=https://www.huntress.com/threat-library/data-breach/canva-data-breach |url-status=live |website=[[Huntress]]}}</ref>

==Lawsuit==

@@ Line 7: / Line 7: @@
 ==[Incident]==
-{{Ph-I-I}}
+The attack was linked to a group known as GnosticPlayers.<ref>{{Cite web|url=https://www.packtpub.com/en-us/learning/how-to-tutorials/canva-faced-security-breach-139-million-users-data-hacked-zdnet-reports|title=Canva faced security breach, 139 million users data hacked: ZDNet reports|first=Fatema|last=Patrawala|work=Packt|date=2019-05-28|access-date=2026-04-27}}</ref> The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking.<ref>{{Cite web |last=Minh Hieu Nguyen Ba |last2=Bennet |first2=Jacob |last3=Gallagher |first3=Michael |last4=Bhunia |first4=Suman |title=A Case Study of Credential Stuffing Attack: Canva Data Breach |url=https://ieeexplore.ieee.org/document/9799087 |url-status=live |website=[[IEEE Xplore]] |publisher=[[IEEE]]}}</ref> Passwords were hashed with bcrypt; however, they were later decrypted.
+The data exfiltrated from the breach included: email addresses, real names, cities and countries of residence, public profile data, and partially hashed passwords (for users logged in directly with Canva, not externally). Payment data was not accessed.
 ===[Company]'s response===
-{{Ph-I-ComR}}
+Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.<ref>{{Cite web |last=Danielson |first=Lizzie |date=2025-11-14 |title=Canva Data Breach |url=https://www.huntress.com/threat-library/data-breach/canva-data-breach |url-status=live |website=[[Huntress]]}}</ref>
 ==Lawsuit==