Millions of Canva users’ data stolen as GnosticPlayers strikes again

Is it true that most people only read the first four lines of email, as this Twitterer suggests?

If so, a cynic might assume, as did IT consultant Dave Hall, that the marketing department at a company that’s just suffered a massive data breach likely know that… and, hence, shoehorn in their own message at the top of the first breach notification they sent out.

The first breach notification sent out by Canva – the Sydney-based company behind the eponymous online design tool – let recipients know that on Friday 24 May 2019, it had discovered a breach while it was still in progress.

As soon as we were notified we immediately took steps to identify and remedy the cause and have reported the situation to authorities (including the FBI). We are very sorry for any concern or inconvenience this may cause.

… that is, Canva notified users that it had discovered a breach… after it told them about 1 million new free images and a new tool for printing t-shirts, that is.

A breach notice sent out later that same day was stripped of what Hall called “marketing crap.”

The breach

Canva didn’t mention how many records had been accessed but said that it involved users’ names and email addresses, along with passwords that had been salted and hashed with Bcrypt: a password-hashing function that’s considered to be secure.

This means that our user passwords remain unreadable by external parties.

ZDNet had more details: the hacker reportedly told the publication that he/she/they got away with data for roughly 139 million users. Since February 2019, the hacker(s), who goes by the alias GnosticPlayers, has listed for sale on the dark web a total of 932 million users’ data, stolen from 33 companies worldwide, according to ZDNet.

More stuff stolen

GnosticPlayers said that on 24 May, they’d downloaded everything up to 17 May 2019, and that Canva had detected the breach and closed down its database server.

Besides the stolen data types that Canva notified users about, the breach also involved real names and, where available, customers’ city and country information. There were 61 million hashed passwords stolen, as well.

Another breached data type was Google tokens – the tokens that enables users to sign up for the site without setting a password. ZDNet reports that out of the total 139 million affected users, 78 million of them had Gmail addresses associated with their Canva account. The dump included details for some of the site’s staff and admins, according to the 18,816-account slice the hacker shared.

Canva said in a statement that users’ credentials haven’t been compromised, as far as it can tell, but that for safety’s sake, users are being advised to reset their passwords:

We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution.

Busy, bad beavers

GnosticPlayers was in the headlines in March 2019, when the hacker(s) put up 26 million records for sale, stolen from six online companies. As we reported then, the first of what would turn out to be four data caches had gone up for sale in early February, when GnosticPlayers were trying to sell a database of 617 million records pilfered from 16 companies for $20,000.

Days later, Gnosticplayers added 127 million records stolen from eight websites, before adding a third round on 17 February comprising another 93 million from another eight sites.


What to do

Users should take Canva’s advice and change their passwords as soon as possible. Unfortunately, Canva doesn’t offer 2FA or we’d tell you to turn it on.

And if you work in a marketing department, please, don’t tuck important details about a security breach underneath marketing messages that could lead users astray. It’s difficult to take companies’ professed commitments to “protecting the data and privacy of all our users” and to “open, transparent communication that puts our communities’ needs first” when the first thing a recipient sees in a breach notification is a marketing spiel.

Transparency and commitment to data protection mean prioritizing the real meat of the message, not tucking it underneath fluff. Canva deserves credit for fixing this in its second notification, but who knows how many users didn’t read about their jeopardized data because their eyeballs glazed over in reaction to what came off as marketing spam?