Australian web-design online service Canva seems to have been hit by a malicious hacker who claims to have made off with data pertaining to 139 million users. The pilfered personal information includes real names, usernames, email addresses and city and country information.
On the bright side, email passwords were salted and hashed using the Bcrypt algorithm, which is dang near impossible to reverse, and dates of birth and street addresses do not seem to have been part of the compromised data.
If you’ve ever signed up for Canva, you should probably change your Canva account password. If you’ve ever used that same password elsewhere, definitely change it on those other services.
However, Canva also lets you use its services by signing in with your Google or Facebook accounts, and there is no evidence that those accounts are in any danger from this breach.
A spokesperson from a research firm was contacted (May 24, 2019) by the hacker, who uses the pseudonym GnosticPlayers and who in the past several months has claimed to have stolen data pertaining to nearly 1 billion users from dozens of websites.
The same hacker has reportedly looked to sell the data of 932 million users stolen from 44 different companies on the dark web since February.
The spokesperson contacted Canva, and a spokesperson admitted that the company had been “made aware of a security breach which enabled access to a number of usernames and email addresses.”. Identity-theft and phishing are one of the worrisome aspects of this leak.
“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised,” the company reportedly said. “As a safeguard, we are encouraging our community to change their passwords as a precaution.”
Bcrypt is a strong and slow password-hashing algorithm that was designed to be difficult and time-consuming for a “cracker” to reverse. (Hashing is one-way encryption for items that are not meant to be decrypted.) Each password was “salted” with additional random data to make hash-cracking even more difficult.
This will be an uncomfortable experience, but has the potential to be a phenomenal turning point for the company, the users, and the broader Australian tech startup scene. Canva’s handling of the breach from a technical perspective was largely commended, but it faced criticism for an initial email to customers, which buried the details below self-congratulatory marketing content.