139 Million Users Hit in Canva Data Breach

Australian web-design online service Canva seems to have been hit by a malicious hacker who claims to have made off with data pertaining to 139 million users.

Credit: Song_about_summer/Shutterstock

(Image credit: Song_about_summer/Shutterstock)

The pilfered personal information includes real names, usernames, email addresses and city and country information. On the bright side, email passwords were salted and hashed using the Bcrypt algorithm, which is dang near impossible to reverse, and dates of birth and street addresses do not seem to have been part of the compromised data.

If you've ever signed up for Canva, you should probably change your Canva account password. If you've ever used that same password elsewhere, definitely change it on those other services.

However, Canva also lets you use its services by signing in with your Google or Facebook accounts, and there is no evidence that those accounts are in any danger from this breach.

MORE: Best Password Managers

ZDNet's Catalin Cimpanu was contacted earlier today (May 24) by the hacker, who uses the pseudonym GnosticPlayers and who in the past several months has claimed to have stolen data pertaining to nearly 1 billion users from dozens of websites.

Cimpanu contacted Canva, and a spokesperson admitted that the company had been "made aware of a security breach which enabled access to a number of usernames and email addresses."

"We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised," the company reportedly said. "As a safeguard, we are encouraging our community to change their passwords as a precaution."

Bcrypt is a strong and slow password-hashing algorithm that was designed to be difficult and time-consuming for a "cracker" to reverse. (Hashing is one-way encryption for items that are not meant to be decrypted.) Each password was "salted" with additional random data to make hash-cracking even more difficult.

Best Identity Protection Services

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
nyc spring day AI image
OpenAI just unveiled new ChatGPT image generator powered by Sora — here's what you can do now
WWDC logo on yellow background
Apple WWDC 2025 date set for June 9 — iOS 19, Apple Intelligence and more expected
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know
(L-R) Yura Borisov as Igor, Mark Eydelshteyn as Vanya, Karren Karagulian as Toros and Mikey Madison as Anora "Ani" Mikheeva in "Anora"
Hulu top 10 movies — here's what you need to stream right now
Nintendo Switch 2
Nintendo Switch 2 — industry insider just tipped release month and launch plans
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page