canva data breach case study

A Case Study of Credential Stuffing Attack: Canva Data Breach

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

139 million users hit in data breach

In May 2019, the company suffered a data breach that affected 139 million customers. The company identified the attack whilst it was ongoing so the perpetrator took to twitter to make their attack public which forced the company into swift damage cont...

Already have an account? Sign in here

We've done the analysis so you can make the decisions

Search our repository of 6,304 high-quality, objective, peer-reviewed case studies, impacting 6,390 companies and resulting in $43,423,465,044 in net costs

• Sophisticated search & querying
• Financial data extracted
• Key data points captured

Decrypting Canva’s Security Breach That Affected 139 Million User Accounts

Yet another attack by a hacker responsible for cyber threats at over 44 companies worldwide.

Spreeha Dutta

If you have been a Canva user for over a year now, then on the 26th of May 2019 you would have received an email from Canva notifying you about the company being at the receiving end of a security attack. Canva was very responsive throughout, be it in taking the necessary protective measures against the attack or informing the concerned cyber crime cell.

However, at that time the attack was estimated to have only minimally impacted 139 million user accounts . It was only later on the 11th of January 2020 that it was found that the attack could have left its repercussions on as many as 4 million accounts whose passwords had also been successfully decrypted by the hacker .

But before we go further, to give you a brief background about Canva, it is one of the most popular graphic design startups that was founded in Australia in 2013. Currently it has a presence in 190 countries with 15 million users . Read on to know more about the attack and how Canva immediately responded to counter the potential damage.

Going Back To The Morning Of The Attack

On the 24th of May 2019, a hacker who goes by the name GnosticPlayers contacted ZDNet and claimed to have breached Canva earlier that morning.

“I download everything up to May 17,” the hacker said. “ -As reported by ZDNet

The Canva attack wasn’t the first time that he/she/the group was responsible for a cyber attack. Dubsmash, MyFitnessPal, Zynga are few of the names who had previously fallen victim to GnosticPlayers’ data breaches. GnosticPlayers is infamous as a hacker who has stolen data of over 900 million users from 45 companies worldwide and put them on sale on the dark web.

But how was the Canva attack different from other attacks?

Here, the attack was discovered and stopped by Canva while it was still occurring. Canva had immediately shut its database servers on detecting the attack. But what was most surprising was the fact that after the attack was stopped, the hacker directly contacted a journalism group (ZDNet) and admitted to having committed the crime.

“It’s common to brag about hacks on dark web forums, but contacting journalists directly and spreading awareness like this is almost unheard of,” Oz Alashe, CEO of intelligent cyber security awareness platform CybSafe, told Verdict .

This bold measure on the part of the hacker was considered by many to be a ploy to steer more sales of the stolen user accounts that he had put for sale on the dark web.

What was compromised in the attack?

• The profile database of 139 million users was accessed. This contained usernames, email ids, public profile ids.
• Encrypted passwords using bcrypt hashing algorithm. bcrypt is still considered to be one of the most secure algorithms.
• A claim of access to the OAuth login tokens of those users who had logged in using Google. (OAuth tokens are what applications use to make requests on behalf of the user for the authorization of the specific application.)
• Limited viewing of card details and payment data. Fortunately for Canva, it never stores complete credit card information in one place. Therefore even though the attacker might have viewed these files momentarily, they couldn’t have used it for carrying out payments.

Why were the users not thought to be at much risk?

• Since the passwords had been first salted and then protected with a hashing function called bcrypt , it was considered then that even though the attackers had access to the hashed password they would never be able to decrypt them and recover the original password. bcrypt is one of the strongest hash algorithms there is since its iteration count can be dynamically increased with time to make it slower and thus resistant to brute force attacks.
• The OAuth tokens too were encrypted using an algorithm called AES128 and the keys for the same were stored in another separate secure location. There was no evidence that those keys from that location were accessed. And without the keys, the tokens alone wouldn’t prove to be of much use to the attacker.

What was Canva’s Response To the Attack?

I too was a Canva user at the time of the breach and I still am. I received the following mail from them as did its other customers on the 26th of May, 2019.

Unexpected Turn Of Events…

It was only on the 11th of January 2020, 7 months after the attack that the company became aware that the hacker had been able to decrypt the passwords of as many as 4 million Canva accounts out of the 139 million accounts that had been compromised by the breach. It sent Canva into damage control mode once again.

Canva promptly notified all its users of the attack and asked all those with unencrypted passwords to change their passwords immediately by sending out necessary emails containing a set of guidelines for setting the new password. On the 12th of January 2020, Canva forcibly reset the password of all those who hadn’t changed their passwords yet and sent out emails about the same to its users.

What’s the Current Situation?

In spite of all the storm that Canva weathered, to date, it continues to be one of the fastest-growing tech companies. In fact, since the attack, its Alexa website traffic rank shot up substantially and it was featured among the Top 200 most popular websites. Canva is currently valued at a massive sum of $3.2 billion. It remains a favorite among its users who are looking to build quick and attractive designs, logos, and posters.

However, this incident also brought to light a very essential issue for budding businesses and startups — that however good their product might be, if they don’t cultivate healthy cyber security practices it will be difficult for them to survive going ahead.

That’s all! Thanks for reading the entire way! Do leave your feedback. You can also connect with me on: LinkedIn: https://www.linkedin.com/in/spreehadutta/ Twitter: https://twitter.com/DuttaSpreeha GitHub: https://github.com/Spreeha Mail: [email protected]

Written by Spreeha Dutta

A software engineer, blogger and podcaster navigating her way through life's beautiful stories.

More from Spreeha Dutta and codeburst

The Startup

How Does Instagram Show Me Posts Regarding What I Have Searched On Google

I have always wondered how does instagram know what i am searching about on google when i am not even signed into instagram using my….

How To Create Horizontal Scrolling Containers

As a front end developer, more and more frequently i am given designs that include a horizontal scrolling component. this has become….

Jinja2 Explained in 5 Minutes!

(part 4: back-end web framework: flask).

Investor’s Handbook

The Dot Com Bubble Burst: Why Is It Important To Heed The Lessons From It Even Today

A story worth telling even today, recommended from medium.

Abdul-mu'min Omotola

InfoSec Write-ups

Building a Virtual Ethical Hacking Home Lab — Part 2: Lab Topology

An interactive guide for building your very own ethical hacking home lab using vmware.

Alexander Nguyen

Level Up Coding

The resume that got a software engineer a $300,000 job at Google.

1-page. well-formatted..

AI Regulation

Tech & Tools

ChatGPT prompts

Growth Marketing

How I Am Using a Lifetime 100% Free Server

Get a server with 24 gb ram + 4 cpu + 200 gb storage + always free.

Jonathan Mondaut

How ChatGPT Turned Me into a Hacker

Discover how chatgpt helped me become a hacker, from gathering resources to tackling ctf challenges, all with the power of ai..

Abdur Rahman

Stackademic

Python is No More The King of Data Science

5 reasons why python is losing its crown.

Asian Digital Hub

Top 10 Cybersecurity Languages You’re Missing Out On - And Why It’s Risky

We’re all hyper-focused on the next big threat — whether it’s malware, phishing, or ransomware. but what about the tools we’re using to….

Text to speech

• Conferences
• New Conferences
• search search
• You are not signed in

External Links

• Google Scholar
• References: 0
• Cited by: 0
• Bibliographies: 0
• [Upload PDF for personal use]

Researchr is a web site for finding, collecting, sharing, and reviewing scientific publications, for researchers by researchers.

Sign up for an account to create a profile with publication list, tag and review your related work, and share bibliographies with your co-authors.

A Case Study of Credential Stuffing Attack: Canva Data Breach

Minh Hieu Nguyen Ba , Jacob Bennett , Michael Gallagher , Suman Bhunia . A Case Study of Credential Stuffing Attack: Canva Data Breach . In International Conference on Computational Science and Computational Intelligence, CSCI 2021, Las Vegas, NV, USA, December 15-17, 2021 . pages 735-740 , IEEE, 2021. [doi]

• Bibliographies

Abstract is missing.

• Web Service API