Data breach hits Canva

May 30, 2019 |

View image on Twitter

Just because a company is a tech favourite and has a cool image doesn’t mean it can’t have a data breach that afflicts daggier businesses.  Data thieves tend not to respect trends, looks and reputations.  Their respect only runs to the effectiveness of privacy protections and data security.  And in that respect Canva has come up short.  Worse, Canva’s response to the data breach is a lesson in what not to do. Canva and its advisors don’t know or ignore what best practice is when dealing with a data breach, both legally as well as from a business and client management perspective. 

For starters it is a dreadful look for the data breach to be disclosed by the hackers.  Zdnet reported the story in Australian tech unicorn Canva suffers security breach last Monday with the notorious hacker, GnosticPlayers, claiming to accessed personal information held by Canva up until 17 May 2019 earlier that day.    Significant detail was provided to Zdnet and that resulted in a detailed story which provides:

Canva, a Sydney-based startup that’s behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned.

Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet.

Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.

Hack took place this morning

Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning.

“I download everything up to May 17,” the hacker said. “They detected my breach and closed their database server.”

Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available.

For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around.

For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password.

Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.

ZDNet requested a sample of the hacked data, so we could verify the hacker’s claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site’s staff and admins.

We used this information to contact Canva users, who verified the validity of the data we received. We also contacted the site’s administrators, informing them of the breach and requesting an official statement.

“Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses,” a Canva spokesperson told ZDNet via email.

“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution,” the company said.

“We will continue to communicate with our community as we learn more about the situation.”

One of the internet’s biggest sites

Canva is one of Australia’s biggest tech companies. Founded in 2012, the Canva website has become a favorite among regular users and large companies who often use it to build quick websites, design logos, or put together eye-catching marketing materials.

Since its launch, the site has shot up the Alexa website traffic rank, and has recently entered the Top 200, currently ranked at #170.

Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world’s biggest free stock content sites — Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker.

With today’s hack, GnosticPlayers has now stolen over one billion user credentials, a goal the hacker told ZDNet in previous interviews he was aiming for. If anyone’s still keeping count, that’s 1,071 billion credentials from 45 companies.

Previous coverage of GnosticPlayers’ hacks:

Round 1 + Round 2 [620 million + 127 million user records]
Round 3 [93 million user records]
Round 4 [26.5 million user records]
Round 5 [65.5 million user records]

Playing “Catch up” always puts a business behind in the news cycle. 

It gets worse when the statements say next to nothing.  By comparison to the Zdnet article, which would have been in Canva’s possession, Canva’s own statements are models of obfuscation and waffle which the only solid findings being:

  • the breach happened on 24 May, 2019
  • there was access to “a number of Canva usernames and email addresses.” 
  • passwords were obtained but only in their “cryptographically secure form” so are unreadable to external parties
  • there was no access to payment details
  • there have been “no indications that any user designs have been accessed.” 

As a result of this breach users need to change their password.  

The string of announcements provides:

Updated May 28, 08:14 AEST –

Our teams have been working around the clock to investigate the attack and communicate with our customers. We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers. We have also engaged forensic experts to investigate the incident.

Updated May 25, 08:53 AEST –

At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first.

On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).

We’re aware that a number of our community’s usernames and email addresses have been accessed. The hackers also obtained passwords in their cryptographically secure form (for technical people – all passwords were salted and hashed with bcrypt). This means that our user passwords remain unreadable by external parties.

However, in line with best practices, we recommend that you change your Canva password.

We apologize for the inconvenience. If you have any questions that you would like to discuss please contact us at contact@canva.com. We will communicate any further updates here.

Frequently Asked Questions


What information of mine was involved?

The security incident enabled access to a number of Canva usernames and email addresses. Passwords in their cryptographically secure form were also obtained (for technical people: all passwords were salted and hashed with bcrypt); this means that all Canva user passwords remain unreadable by external parties.

Does this mean my Facebook and/or Google login details have been compromised?

If you use Facebook or Google to log into Canva, rest assured those credentials are also encrypted and unreadable by external parties, so you do not have to change your password on Facebook or Google.

Were my designs accessed?

There have been no indications that any user designs have been accessed.

Have my credit card details been compromised?

At Canva, all our online payments are confidential and secure which provide encrypted connections for all debit card and credit card transactions. We do not keep any credit card information on Canva.

When did the breach happen?

We discovered an in-progress attack on our systems on Friday, May 24, 2019 (PST).

What should I do?

As a precaution, we recommend changing your Canva password. If you use the same email and password on other sites you should change the passwords on those sites too. The cryptographic techniques we’ve used (bcrypt hash + individual salt) makes brute forcing hard, but passwords that are common or easy to guess are simpler to crack.

Here are some recommendations for a strong password:

    • Avoid passwords containing your real name or username.
    • Use passwords with minimum length of 8 characters.
    • Include a minimum of three of the following character types: uppercase, lowercase, numbers, non-alphanumeric symbols (for example , ! @ # $ % ^ & * < > -).
    • Use a password manager to generate and securely store passwords
note: To learn more about changing your Canva password, click here.

Who do I contact for more information?

For more information, please visit https://status.canva.com or email us on contact@canva.com

What steps is Canva taking to resolve the data breach?

As soon as we became aware, Canva immediately took steps to determine the nature and scope of the problem, and alerted law enforcement.

We are working with a forensics team that specializes in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack. We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again.

It is a highly massaged series of statements, designed to provide maximum reassurance with vague wording, reassurances, technical terminology and little else. 

The detail provided by Zdnet and the lack of detail by Canva, even after the Zdnet story is published highlights the poor response plan and dreadful advice being provided to Canva. It is possible to be forthcoming on the nature and extent of a breach without revealing personal data and compromising the existing system.  Canva’s response invites the question, “What is really going on?”  And if something is not going on then Canva is doing itself deep reputational damage. 

The email to its clients seems to have followed this pea and shell game announcement, under which over worded statement is the real explanation.  This deplorable approach was highlighted in the article “Marketing fluff”: What startups can learn from Canva’s data-breach response which provides:

It’s been a wild week for Aussie unicorn Canva, with the bumper news of two acquisitions and a huge $3.6 billion valuation being dampened somewhat by a breach that’s seen the data of 139 million users stolen.

Canva has said it detected the data breach on Friday, May 24, and users were informed the next day. However, it’s not the breach itself that has affected users riled up, it’s mostly the manner of communication.

The initial email telling customers about the breach has been criticised for leading with positive news, as well as new t-shirt printing capabilities in the US.

It’s not until the second paragraph the email reveals “we have today become aware of a security incident”.

The wording of the email has been criticised by Twitter users as “marketing fluff” distracting recipients from important security information.

In a later email, the messaging was changed to lead with the details of the breach.

It appears some users received the first version of the memo, while others received the updated version. Others again have reported not receiving an email notification at all.

In a statement shared with StartupSmart, Canva said the second version of the email was sent in response to some of the feedback.

“We listen to our customers’ feedback very carefully. We had some early feedback, and iterated on the email immediately,” the statement said.

“We have also been communicating to users within the platform, on social media, and via our customer support channels.”

The statement confirmed passwords were obtained in their encrypted form, meaning they’re currently unusable to external parties.

News of the breach first broke when the hacker themselves tipped off tech news site ZDNet, saying they had taken the data of about 139 million Canva users.

The hacker breached Canva’s systems and downloaded “everything up to May 17”, before Canva detected the breach and shut down the server, they reportedly told ZDNet.

Stolen data includes customer names and usernames, as well as email addresses and city and country information.

ZDNet verified the claims, it said, by requesting a sample of the data. The publication received data for more than 17,000 accounts, including account details for Canva staff and admins.

Canva then verified the validity of this data, the ZDNet story said.

The breach comes just days after two huge Canva announcements. Last week, the Aussie unicorn announced it is acquiring stock photography websites Pexels and Pixabay.

A few days later, Canva announced it had closed a $101 million funding round valuing the company at $3.6 billion.

At the time, co-founder Melanie Perkins told StartupSmart the new funding will be used to grow awareness of Canva on a global level, with schools and Fortune 500 companies being potential growth areas.

“We’re raising this round to get into every workplace across the globe,” Perkins said.

Fluffing around the problem

Speaking to StartupSmart today, Felicia Coco, co-founder and director of startup-focused PR firm LaunchLink, said something that can often happen with startups is “they’re not prepared for these things to come up”.

When you’re working with people’s personal information, there are always certain risks you have to consider, she says.

“As you grow as a startup and you gain more awareness and you are on the radar of more people, the chances of something like this happening do grow.”

Startups should always have “a plan of attack in case something like this does happen”, she adds.

At its core, this is a trust issue, Coco says. While the data has been compromised, users want to know exactly what is going on, and they want the company involved to be straight with them.

“Because you’re talking to such a wide audience, there is a temptation to minimise it or soften the blow,” she explains.

But, having worked with companies managing data breaches herself, when they haven’t gone well it’s been “because we fluffed around the problem”, Coco says.

“You have to get straight to the core of the issue, let people know what’s happening in as much detail as you can, and then you want to follow up and keep them updated,” she says.

“Give a really clear breakdown of what the situation is,” she advises, even if you don’t know the full details yourself.

“It’s really good to issue a heads up to the key stakeholders,” she adds.

And that includes anyone with a vested interest in the business, including users, the media and the wider public.

Finally, Coco suggests announcements about data breaches, or other significant bad news, “really need to come from the top”.

Startups should address the situation in a formal way, and give an official and clear statement.

“And it needs to come from the CEO,” she says.

Users want a rundown of what has happened, and how they’re going to move forward, and that’s how they can start working towards rebuilding that trust.

“They need to have clear steps about how they’re going to address the specific situation and how they’re going to work towards ensuring that this doesn’t happen again,” Coco says.

For Canva, specifically, no account has actually been breached yet, Coco points out.

“They’re a fantastic company,” she says.

“They will absolutely bounce back from this.”

However, their response to the weekend’s data breach potentially stands as a warning sign to other companies that may not have the same traction or as high a profile, and may not have the ability to bounce back.

“We have to really get tight with these strategies,” Coco says.

Right Click Capital partner Benjamin Chong also stresses the importance of being open and upfront with users in the case of any crisis.

Mistakes happen, he says, and “most users will respond well to companies who are forward about it”.

This is largely about giving those users the ability to act on the information as soon as possible, by changing their passwords on the affected site and anywhere else they may use the same one.

“You want to give your users as much opportunity to do what they need to do to protect themselves,” Chong says.

Do this well, and “you can use this as an opportunity”, he adds.

For Chong, the Canva breach serves as “a reminder for everyone” to ensure they employ good cyber security practices.

Also, startups should learn the value of having a plan.

“Have a disaster-recovery plan and a comms plan, so that it’s ready to go if you need to share things,” he advises.

Even if there’s only a very small chance of something happening, if you have pre-planned responses using best-practices from experts, “then if you do get caught, you’re able to respond quickly and clearly”.

For any startup, the more you grow, so to do your chances of being breached.

“You’re likely to have more users, and therefore, if an attacker is able to breach your system, they’re able to get more access to more user data,” Chong says.

“I would suggest all startups wanting to grow put in place the necessary safeguards.”

The breach has been widely reported, in the tech press such as Computer World with Australian ‘unicorn’ Canva hacked and in the mainstream media, such as the Australian with Massive data breach hits Canva.

The Australian article provides:

Australian tech darling Canva has been hit with a massive data breach with the graphic design outfit telling its 139 million users to change their passwords.

According to Canva, its systems were attacked last Friday with the hackers stealing usernames, their email addresses and password

It added that the passwords had been stolen in their encrypted form, making it harder for the hackers to sell them piecemeal on the web.

“On Friday, May 24, 2019 we discovered an in-progress attack on our systems. As soon as we were notified, we immediately took steps to identify and remedy the cause and have reported the situation to the relevant authorities (including the FBI and AFP).”

“We will continue to notify appropriate authorities as our investigations progress,” the company said.

While the passwords were protected (individually salted and hashed using brypt technology), making them unreadable to external parties, Canva has told its subscribers to change their passwords.

“Our team is working around the clock to deal with this situation, and we really appreciate all the support we’ve been receiving.

“We are currently notifying our community through an in-app notification, via social media, and through an email notification,” the company said.

Canva added that there were no signs that user designs have been stolen by the hackers. Users logging on to Canva through Facebook and Google have also not been affected by the attack and the company added that no credit card details had been compromised.

“All our online payments are confidential and secure which provide encrypted connections for all debit card and credit card transactions, we do not keep any credit card information on Canva.”

Canva added that it had taken immediate steps to determine the nature and scope of the problem as soon as it found about the breach and is working to work out it happened.

“We are working with a forensics team that specialises in these types of attacks, as well as the FBI, to diagnose exactly what happened and are putting processes in place to help prevent another attack.”

The attack comes as on the heels of Canva raising $US70 million in fresh capital, valuing the Sydney-based company at $3.6 billion.

The latest funding round had also seen the company welcome two new venture capital investors, General Catalyst and Bond, which is led by influential tech analyst Mary Meeker.

Existing investors Felicis Ventures and Blackbird Capital have also pitched in new funds. Canva has so far raised $US166m in funding in total.

Canva CEO and co-founder Melanie Perkins said the fresh funding will be used to help the company move up the food chain inside big companies.

“We’ve heard the challenges faced by hundreds of brand managers, designers and teams at large companies. Our enterprise product will help to resolve these pain points and ensure that all content produced is perfectly aligned,” she said.

Canva has launched a new product catering to the needs of bigger organisations, building in the success of its Canva Pro product, which is already used by 500,000 paid subscribers.

It also recently picked up free stock photography sites Pexels and Pixabay for an undisclosed sum. It’s also launching Photos Unlimited, a “Netflix-style” subscription model for more paid stock photography.

The Australian Financial Review has reported on the criticism of Canva’s strategy in Canva criticised after data breach exposed 139m user details

The only up side in this debacle for Canva is that in Australia the Information Commissioner is highly unlikely to do anything about any inadequate data security or poor privacy practices by Canva.  It is too timid a regulator for that.  If it was the United States, the United Kingdom or Europe it is likely that Canva’s woes with the regulators would be immense.

 

Leave a Reply





Verified by MonsterInsights