A recent victim of a security incident turns out to be the Australian tech firm Canva. The hacker(s) with alias ‘GnosticPlayers’ claimed the responsibility for the Canva data breach. As claimed, the attacker pilfered information of around 139 million users.
Canva Disclosed Data Breach
Reportedly, the Sydney-based graphic design firm Canva has been the recent victim of a hacking attack. The company confirmed the incident as they put up details on their website and sent email alerts to their users.
Revealing the details about the Canva data breach, the firm disclosed that they identified an ‘in-progress’ attack on their systems on May 24, 2019. Investigating the matter further revealed that the attacker accessed users’ email addresses, usernames, and bcrypt hashed passwords.
While their notice didn’t mention a specific number of affected users, the attacker has claimed to have the data for 139 million users. According to ZDNet, the attacker ‘GnosticPlayers’ contacted them and claimed to have stolen the data.
I download everything up to May 17. They detected my breach and closed their database server.
Besides, regarding the kind of information he got, ZDNet stated,
Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available. For 61 million users, password hashes were also present in the database… For other users, the stolen information included Google tokens.
Following the discovery of the incident, Canva took steps to contain the attack. They also acted quickly to inform users, as they notified them of an ‘in-progress’ attack. Nonetheless, the content of the emails, particularly the initial lines, failed to deliver the message. It appeared more of a promotional email rather than a security notice. Nonetheless, they also sent emails with modified text to some users depicting a rather clearer message. They also notified via their Twitter account:
This morning we’ve been alerted to a security incident that enabled access to a number of usernames and email addresses. As soon as this happened, we remedied the issue and alerted the authorities. To be overly cautious, we’d recommend changing your password.
— Canva (@canva) May 25, 2019
They also assured they have involved relevant security agencies to investigate the matter.
We are working with a forensics team that specializes in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack.
In addition, as a security precaution, they advise users to change their Canva passwords.