Canva 2019 data breach: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 7:

==[Incident]==

The attack was linked to a group known as GnosticPlayers. [https://www.~~sophos~~.com/en-us/~~blog~~/~~millions~~-of-canva-users-data-~~stolen~~-as-~~gnosticplayers~~-~~strikes~~-~~again]~~ The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking. [https://ieeexplore.ieee.org/document/9799087] Passwords were hashed with bcrypt; however, they were later decrypted.

The attack was linked to a group known as GnosticPlayers.<ref>{{Cite web|url=https://www.packtpub.com/en-us/learning/how-to-tutorials/canva-faced-security-breach-139-million-users-data-hacked-zdnet-reports|title=Canva faced security breach, 139 million users data hacked: ZDNet reports|first=Fatema|last=Patrawala|work=Packt|date=2019-05-28|access-date=2026-04-27}}</ref> The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking.<ref>{{Cite web |last=Minh Hieu Nguyen Ba |last2=Bennet |first2=Jacob |last3=Gallagher |first3=Michael |last4=Bhunia |first4=Suman |title=A Case Study of Credential Stuffing Attack: Canva Data Breach |url=https://ieeexplore.ieee.org/document/9799087 |url-status=live |website=[[IEEE Xplore]] |publisher=[[IEEE]]}}</ref> Passwords were hashed with bcrypt; however, they were later decrypted.

The data exfiltrated from the breach included: email addresses, real names, cities and countries of residence, public profile data, and partially hashed passwords (for users logged in directly with Canva, not externally). Payment data was not accessed.

===[Company]'s response===

Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.[https://www.huntress.com/threat-library/data-breach/canva-data-breach]

Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.<ref>{{Cite web |last=Danielson |first=Lizzie |date=2025-11-14 |title=Canva Data Breach |url=https://www.huntress.com/threat-library/data-breach/canva-data-breach |url-status=live |website=[[Huntress]]}}</ref>

==Lawsuit==

@@ Line 7: / Line 7: @@
 ==[Incident]==
-The attack was linked to a group known as GnosticPlayers. [https://www.sophos.com/en-us/blog/millions-of-canva-users-data-stolen-as-gnosticplayers-strikes-again] The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking.  [https://ieeexplore.ieee.org/document/9799087] Passwords were hashed with bcrypt; however, they were later decrypted.
+The attack was linked to a group known as GnosticPlayers.<ref>{{Cite web|url=https://www.packtpub.com/en-us/learning/how-to-tutorials/canva-faced-security-breach-139-million-users-data-hacked-zdnet-reports|title=Canva faced security breach, 139 million users data hacked: ZDNet reports|first=Fatema|last=Patrawala|work=Packt|date=2019-05-28|access-date=2026-04-27}}</ref> The group claimed to exfiltrate data and offered it for sale on breached forums, with motives of financial gain. The breach was caused by credential stuffing and credential cracking.<ref>{{Cite web |last=Minh Hieu Nguyen Ba |last2=Bennet |first2=Jacob |last3=Gallagher |first3=Michael |last4=Bhunia |first4=Suman |title=A Case Study of Credential Stuffing Attack: Canva Data Breach |url=https://ieeexplore.ieee.org/document/9799087 |url-status=live |website=[[IEEE Xplore]] |publisher=[[IEEE]]}}</ref> Passwords were hashed with bcrypt; however, they were later decrypted.
 The data exfiltrated from the breach included: email addresses, real names, cities and countries of residence, public profile data, and partially hashed passwords (for users logged in directly with Canva, not externally). Payment data was not accessed.
 ===[Company]'s response===
-Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.[https://www.huntress.com/threat-library/data-breach/canva-data-breach]
+Canva alerted users on May 25, 2019, to reset their passwords through email and in app alerts. To improve security, Canva introduced Multi-factor authentication (MFA), enhanced security measures (not specified), and regular security audits.<ref>{{Cite web |last=Danielson |first=Lizzie |date=2025-11-14 |title=Canva Data Breach |url=https://www.huntress.com/threat-library/data-breach/canva-data-breach |url-status=live |website=[[Huntress]]}}</ref>
 ==Lawsuit==