Canva which is a Sydney-based startup behind the graphic design service suffered a security breach and data of around 139 million users has been stolen in the breach.
The infamous hacker known as GnosticPlayers is behind this breach. It was the same hacker who has put stolen data of 932 million users up for sale on the dark web. He has stolen these data from 44 companies from all over the world since this February.
The hacker stated that he has download everything from the company server up to May 17, after which they have detected the breach and closed their database server.
The stolen data included details such as customer usernames, real names, email addresses, and city and country information, where available.
The password hashes of 61 million users were also present in the database. The passwords were hashed with the bcrypt algorithm which is considered as one of the most secure password-hashing algorithms available.
For the remaining users, the stolen information included Google tokens, which they had used to sign up for the site without setting a password.
Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.
According to a Canva spokesperson, the company was aware of the security breach that enabled access to a number of usernames and email addresses. They stated that they have stored all the passwords securely using the highest standards and there is no evidence of any of the users’ credentials being compromised. As a precaution they recommend all their users to change their passwords. They assure to communicate with their community when they get to know more details regarding the situation.
Canva is one of Australia’s biggest tech companies which was founded in 2012. The Canva website is widely used by users to build quick websites, design logos, or put together eye-catching marketing materials.
The site has high ranking in the Alexa website traffic rank, and is currently ranked at #170. Canva also recently acquired two of the world’s biggest free stock content sites — Pexels and Pixabay. However, details of Pexels and Pixabay users were not included in the data stolen by the hacker.