139 Million Users Hit in Canva Data Breach

Australian web-design online service Canva seems to have been hit by a malicious hacker who claims to have made off with data pertaining to 139 million users.

Credit: Song_about_summer/Shutterstock

(Image credit: Song_about_summer/Shutterstock)

The pilfered personal information includes real names, usernames, email addresses and city and country information. On the bright side, email passwords were salted and hashed using the Bcrypt algorithm, which is dang near impossible to reverse, and dates of birth and street addresses do not seem to have been part of the compromised data.

If you've ever signed up for Canva, you should probably change your Canva account password. If you've ever used that same password elsewhere, definitely change it on those other services.

However, Canva also lets you use its services by signing in with your Google or Facebook accounts, and there is no evidence that those accounts are in any danger from this breach.

MORE: Best Password Managers

ZDNet's Catalin Cimpanu was contacted earlier today (May 24) by the hacker, who uses the pseudonym GnosticPlayers and who in the past several months has claimed to have stolen data pertaining to nearly 1 billion users from dozens of websites.

Cimpanu contacted Canva, and a spokesperson admitted that the company had been "made aware of a security breach which enabled access to a number of usernames and email addresses."

"We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised," the company reportedly said. "As a safeguard, we are encouraging our community to change their passwords as a precaution."

Bcrypt is a strong and slow password-hashing algorithm that was designed to be difficult and time-consuming for a "cracker" to reverse. (Hashing is one-way encryption for items that are not meant to be decrypted.) Each password was "salted" with additional random data to make hash-cracking even more difficult.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.