Cyber Incident Victim: Canva

On or around May 17, 2019, Australian graphic design platform Canva experienced a security breach involving unauthorized access to user data. The incident was attributed to an individual or group using the alias GnosticPlayers, who had gained notoriety since February 2019 for stealing and attempting to sell data from 44 companies worldwide, affecting approximately 932 million users collectively. The attacker claimed to have compromised information belonging to 139 million Canva users, making it one of the largest breaches in the company's history. Stolen data included customer usernames, real names, email addresses, and geographic information (city and country) where available. For 61 million affected users, password hashes secured via bcrypt encryption—a robust hashing algorithm—were accessed. Additionally, the breach exposed Google authentication tokens for some accounts, with 78 million users having Gmail addresses linked to their Canva profiles.

Canva publicly acknowledged the breach on May 24, 2019, confirming unauthorized access to usernames and email addresses but emphasizing that password security remained intact due to bcrypt hashing with individual salting. The company stated it found no evidence of compromised credentials but advised users to change passwords as a precautionary measure. Canva initiated communications with its user base to provide updates as the investigation progressed. The breach highlighted the scale of risk facing rapidly growing tech firms, as Canva—founded in 2012 and serving both individual and enterprise clients—had become one of Australia’s most prominent technology unicorns. GnosticPlayers’ broader pattern of targeting multiple organizations underscored the systemic threat posed by sophisticated actors exploiting security vulnerabilities to harvest bulk user data for illicit sale on dark web markets.