Canva has contacted the FBI to investigate the data breach.
Canva, an online graphic-design tool website operated from Australia has suffered a massive data breach in which personal data of over 139 million registered users has been stolen – The breach took place on Friday, May 24.
The stolen data includes usernames, real names, email addresses, city, and country information, etc. Canva, on the other hand, has acknowledged the breach and notified users in an email claiming that their payment card and other financial data is safe.
The company further maintains that the stolen passwords are in an encrypted format and “unreadable by external parties.”
“We’re aware that a number of our community’s usernames and email addresses have been accessed. The hackers also obtained passwords in their encrypted form (for technical people – all passwords were salted and hashed with bcrypt). This means that our user passwords remain unreadable by external parties.,” Canva said in an email sent to its users.
According to ZDNet, out of 139 million, 61 million users had their passwords encrypted with the bcrypt algorithm which is pretty secure format when it comes to cracking. Moreover, the data included Google tokens used by customers to log into Canva without registering an account.
In total, 78 million users had their Gmail based email addresses exposed in the breach, ZDNet who examined the sample data has confirmed.
Canva lets users sign in with their Facebook and Gmail account however while addressing the incident, the company assured users that their Facebook and Google credentials are also encrypted and unreadable by external parties and there is no need to change Facebook or Gmail password.
The incident has been reported to law enforcement authorities in Australia as well as to the Federal Bureau of Investigation (FBI).
The hacker involved Canva breach goes by the handle of GnosticPlayers who happens to be the same individual behind large scale data breaches in February this year involving sensitive data stolen from several companies including Gfycat. The data (126 million and 92 million accounts) was then sold on Dream dark web marketplace.
If you have an account on Canva, change its password right now. Also, change the password of the email address which you have been using to sign into the website. Read more about the breach on Canva’s security incident FAQ page.