Data Breach Hits Australian Tech Unicorn Canva
A massive data breach has hit Canva, the Australian tech unicorn based in Sydney.
It was ZDNet that reported, on May 24, 2019, the hack that had happened earlier that day. The hacker, known by the name GnosticPlayers, had tipped off ZDNet that during the breach at the Sydney-based start-up, data for roughly 139 million users had been breached.
The ZDNet report says, “Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.”
“Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning, ” the report further reads.
The hacker had revealed that everything up to May 17 had been downloaded before Canva detected the data breach and closed their database server. The breached data includes details including customers’ real names and user names, email addresses, city and country information etc. Password hashes for 61 million users were also part of the database that was hacked. However, the passwords were hashed with the bcrypt algorithm, which is considered to be highly secure. The hacker had also stolen the Google tokens, which some users had used to sign up without setting a password. 78 million users of the total 139 million impacted users had a Gmail address associated with their Canva account.
ZDNet researchers had verified the hacker’s claims; the ZDNet report explains, “ZDNet requested a sample of the hacked data, so we could verify the hacker’s claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site’s staff and admins. We used this information to contact Canva users, who verified the validity of the data we received.”
ZDNet then contacted Canva and informed them of the breach. Consequently, a Canva spokesman issued an email statement, which was sent to ZDNet via email. The statement says, “Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses.”
“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution”, the company statement further read. The customers were also assured that further communication would happen as the company learns more about the situation.
Canva, founded in 2012, is one of Australia’s biggest tech companies and caters to numerous large companies and regular users in many ways. They have been depending on the Canva website for building websites, designing logos and such other services. The Canva website, which has been doing well since its launch, has recently entered the Top 200 in the Alexa website traffic rank. Moreover, a recent $70 million funding round has raised the company’s valuation to $US2.5 billion.
The Australian Financial Review, in a report authored by Technology Editor Paul Smith, says that Canva has been criticized post the data breach that had exposed so much of data. He writes, “High profile Australian technology company Canva has faced criticism for its handling of a cyber attack that saw the data of approximately 139 million users stolen by a hacker…The sizable data breach at the online design company came less than a week after a $70 million funding round saw its valuation soar to $US2.5 billion ($3.6 billion), catapulting its co-founders Melanie Perkins and Cliff Orbecht on to the Rich List with fortunes worth over $500 million.”
Paul Smith points out that though Canva’s handling of the breach from a technical perspective was commended, the company was widely criticized for the initial email it has sent to its customers, which “buried the details below self-congratulatory marketing content”. He explains, “News of the hack was hidden beneath talk of how Canva “empowers” people to do great designs, and the promotion of recent news about its acquisitions of two German stock photo libraries and a new product for the US market.”
However, later when some experts suggested on Twitter that the Canva email would be mistaken as just a regular marketing email by customers, the company came out with a more succinct message.
The Australian Financial Review report adds, “James Turner, the founder of CISO Lens – a forum for chief information security officers of large Australian organisations – said long-term impact for Canva customers should be minimal…He observed that it was not Canva’s fault that it was targeted and that the hack appeared to be an opportunistic attack that had “missed the critical organs””.
Julia Sowells951 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.