Canva Data Breach - A Lesson For Budding Businesses

Reading time: Reading time 2 minutes

A data breach can gravely harm the reputation of any business and also hurt the sentiments of the users whose information gets exposed. The matters may become even worse if the aftermath of the incident is not handled decisively. Last week, the Australian tech giant Canva reported a major data breach that left the entire online community in shock.

Canvas Security Breach - What actually happened?

In this major cybersecurity incident, the attacker stole records of over 139 million Canva users and the exposed data included real names, usernames, email addresses, and other sensitive personal information of users.

However, the email passwords that were stolen with other data were heavily encrypted using the Bcrypt algorithm, and they wouldn’t be compromised. The dates of birth and home addresses of the users were also safe.

Soon after the breach was confirmed, the authorities at Canva urged their users to change passwords as a precautionary measure.

Launched in 2012, the Sydney-based graphic design unicorn has a user base of millions of users in almost 179 countries across the globe.

The hacking incident was reported on 24th May by an official from ZDNet. The official then asked for a sample dataset to verify the hack and received the personal data of around 17,000 users. Later, Canva also confirmed the authenticity of the breach. The alleged hacker behind this attack goes by the name GnosticPlayers and is highly infamous for his online crimes.

Since the beginning of 2019, this hacker has claimed to have stolen the data from around 1 billion users of about 44 major online companies and has put up that data for sale on the dark web.

The hacker stole the passwords of nearly 61 million users, but fortunately, they were encrypted with one of the most secure hashing algorithms - Bcrypt. The hacker also stole Google Tokens, which were used by numerous users to sign in to their accounts without setting up passwords.  


MUST READ: Exclusive Insights On Sustainable Growth For SaaS Businesses Through Security Best Practices

Canva’s Response To the data-leak: What Startups Should Learn

The last few weeks were more like a roller coaster ride for the Australian company. Since its launch, Canva has become the primary choice of users in the online design market and currently ranks #170 in the Alexa website traffic ranking.

In the past week, the company also raised almost $71 million in its Series D funding and was valued at a whopping $3.5 billion, making it one of the fastest-growing Australian tech startups. The company also acquired two free photography sites named Pexels and Pixabay recently.

Everything was running smoothly until the data breach news came in. And, after the breach was detected by the Canva officials on 24th May, the manner in which the company communicated the incident to its users, raised some serious questions.  

Instead of focusing on the breach news, Canvas's initial communication email to its customers centered on the company’s recent acquisitions and achievements. The wording and structure of the email were heavily criticized by security experts on several social media platforms. 

The critics accused Canva of marketing its brand achievements rather than being focused on the real data security issue. After the harsh feedback, the company corrected its mistake and issued another email that focused only on the breach issue.

Canva Data Breach

The budding startups have a significant lesson to learn from this incident. As new businesses grow in size and scale, the risks related to cybersecurity also increase and so do the chances of getting breached. Companies should make thorough action plans and strategies for scenarios like these and try to be as straightforward as possible while explaining the criticality of such incidents to their users.

The temptation to soften the gravity of the issue by expressing it otherwise might make the situation even more complicated, and that is why it is better to share the right information at the right time with the concerned users.

It is essential to keep the stakeholders acquainted and updated about the crisis and consistently address their queries in times like these. Following the best cybersecurity practices from the beginning will undoubtedly go a long way.        


Published on May 30, 2019
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now