Gnosticplayers hacked Canva website and stole data of over 139 million users

The stolen data included users personal information including names, usernames, email addresses, residential city, and country.

The compromised data also includes password hashes for almost 61 million users and Google token for other users.

What happened?

Canva, an Australia-based company that provides a graphic design platform, has been hacked and data for roughly 139 million users have been compromised.

Details on the breach

The infamous hacker ‘Gnosticplayers’ who had earlier put up stolen data of 932 million users for sale on the dark web, is responsible for this breach.

Gnosticplayers contacted ZDNet on May 24, 2019, and said that he breached the company just hours before contacting them.

“I download everything up to May 17. They detected my breach and closed their database server,” Gnosticplayers said.

ZDNet requested a sample of the hacked data, to verify the hacker's claims. Upon which, Gnosticplayers provided a sample data of 18,816 accounts, including the account details for some of the company’s staff and admins.

What data was compromised?

  • The stolen data included users personal information including names, usernames, email addresses, residential city, and country.
  • The compromised data also includes password hashes for almost 61 million users and Google token for other users.

Worth noting

  • The compromised passwords were hashed with one of the most secure password hashing algorithm, bcrypt.
  • Of the total 139 million users, 78 million users had their Gmail addresses associated with their Canva account.

What actions are being taken?

ZDNet contacted Canva users to verify the validity of the sample data received. Upon verifying, they notified the site's administrators about the breach.

“Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses. We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised,” a spokesperson for Canva said.

However, the company is recommending its users to reset their passwords as a precaution.