The theft of account details from design platform Canva’s customer database last Friday appears to be the work of a notorious hacker responsible for stealing the account details of one billion customers from 45 companies, then offering them for sale on the dark web.
The hacker, who uses the alias Gnosticplayers, contacted technology news site ZDNet to brag about the hack, claiming to have stolen the data belonging to 139 million users during the breach.
“I download everything up to May 17. They detected my breach and closed their database server,” the hacker told ZDNet.
“Gnosticplayers” contacted ZDNet three months earlier saying they had set themselves the goal of offering data from one billion users for sale and had released it on a dark web illegal goods site called Dream Market.
They’d previously hacked companies such as 500px, UnderArmor, ShareThis, GfyCat, and MyHeritage for customer data. Canva was their 45th target and supposedly reached the one billion target.
The stolen material included usernames, email addresses, real names, email addresses, and any city and/or country details provided, as well as encrypted passwords. Canva recommended its customers change their passwords, especially if they were also used on other sites.
ZDNet was sent a sample of the hacked data involving nearly 19,000 accounts and used it contact Canva users and check the veracity of Gnosticplayers’ claims. They also contacted the site’s administrators.
The company’s subsequent statement said it was “made aware of a security breach”, but did not clarify who told them about the hack when asked by Startup Daily.
Canva said it contacted the US Federal Bureau of Investigations (FBI) about the attack as well as engaging a forensics team to diagnose what happened.
The hacker said of the 139 million users, 78 million had a Gmail address linked to their Canva account.
In its statement to users, Canva said logins via Facebook or Google are also encrypted and unreadable by external parties, so passwords on Facebook or Google don’t have to be changed.
ZDNet reported that some users had Google tokens, which are used to sign in without a password, stolen.
Canva wrote to its users on the weekend about the breach, but botched its initial contact with some customers in a breezy email from head of communications, Liz McKenzie, that began: “Hey there, At Canva we spend a lot of time and energy working to empower our community to create great designs. Last week has been a big week for us.”
It went on to talk about t-shirt printing launching in the US.
The data breach was only revealed in the second paragraph, infuriating those who took the time to read that far.
Hey @lizmckenzie and the @canva team this is not how you start an email telling your customers you've been breached. #infosec #fail pic.twitter.com/XJdB3xcWEl
— Dave Hall (@skwashd) May 25, 2019
New laws in Australia for mandatory data breach notifications if a customer’s information is lost or stolen, were introduced in February 2018.
Companies can be fined more than $2 million if they fail to inform customers of a serious data breach that is “likely to cause serious harm”.
Startup Daily has contacted Canva for additional comment and clarification about whether the Office of the Australian Information Commissioner been notified about the theft and whether it was being treated as a Notifiable Data Breach by the company.
A company spokesperson said: “At this stage our investigation is still ongoing, and we will continue to communicate with our community as it progresses.”
Sydney-based Canva recently raised US$70 million, valuing the business at US$2.5 billion (AU$3.6bn).
You can read ZDNet‘s original story revealing the hack and contact with Gnosticplayers here.
Daily startup news and insights, delivered to your inbox.