[BreachExchange] Australian tech unicorn Canva suffers security breach

Tue May 28 10:06:08 EDT 2019

https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/

Canva, a Sydney-based startup that's behind the eponymous graphic
design service, was hacked earlier today, ZDNet has learned.

Data for roughly 139 million users has been taken during the breach,
according to the hacker, who tipped off ZDNet.

Responsible for the breach is a hacker going online as GnosticPlayers.
The hacker is infamous. Since February this year, he/she/they has put
up for sale on the dark web the data of 932 million users, which he
stole from 44 companies from all over the world.

HACK TOOK PLACE THIS MORNING

Today, the hacker contacted ZDNet about his latest hack, involving
Australian tech unicorn Canva, which he said he breached just hours
before, earlier this morning.

"I download everything up to May 17," the hacker said. "They detected
my breach and closed their database server."

Stolen data included details such as customer usernames, real names,
email addresses, and city & country information, where available.

For 61 million users, password hashes were also present in the
database. The passwords where hashed with the bcrypt algorithm,
currently considered one of the most secure password-hashing
algorithms around.

For other users, the stolen information included Google tokens, which
users had used to sign up for the site without setting a password.

Of the total 139 million users, 78 million users had a Gmail address
associated with their Canva account.

ZDNet requested a sample of the hacked data, so we could verify the
hacker's claims. We received a sample with the data of 18,816
accounts, including the account details for some of the site's staff
and admins.

We used this information to contact Canva users, who verified the
validity of the data we received. We also contacted the site's
administrators, informing them of the breach and requesting an
official statement.

"Canva was today made aware of a security breach which enabled access
to a number of usernames and email addresses," a Canva spokesperson
told ZDNet via email.

"We securely store all of our passwords using the highest standards
(individually salted and hashed with bcrypt) and have no evidence that
any of our users' credentials have been compromised. As a safeguard,
we are encouraging our community to change their passwords as a
precaution," the company said.

"We will continue to communicate with our community as we learn more
about the situation."

ONE OF THE INTERNET'S BIGGEST SITES

Canva is one of Australia's biggest tech companies. Founded in 2012,
the Canva website has become a favorite among regular users and large
companies who often use it to build quick websites, design logos, or
put together eye-catching marketing materials.

Since its launch, the site has shot up the Alexa website traffic rank,
and has recently entered the Top 200, currently ranked at #170.

Three days ago, the company announced it raised $70 million in a
Series-D funding round, and is now valued at a whopping $2.5 billion.
Canva also recently acquired two of the world's biggest free stock
content sites -- Pexels and Pixabay. Details of Pexels and Pixabay
users were not included in the data stolen by the hacker.

With today's hack, GnosticPlayers has now stolen over one billion user
credentials, a goal the hacker told ZDNet in previous interviews he
was aiming for. If anyone's still keeping count, that's 1,071 billion
credentials from 45 companies.