On May 24, 2019 Canva reported its systems were experiencing an in-progress attack. When it was all over, the records of 139 million users were stolen by the hackers Gnosticplayers.
The hackers notified ZDNet and provided evidence of the hack, which included a sample with the data of 18,816 accounts. ZDNet then alerted Canva with the information at which time the company tweeted the following.
This morning we’ve been alerted to a security incident that enabled access to a number of usernames and email addresses. As soon as this happened, we remedied the issue and alerted the authorities. To be overly cautious, we’d recommend changing your password.
— Canva (@canva) May 25, 2019
According to ZDNet, Gnosticplayers said, “I download everything up to May 17. They detected my breach and closed their database server.” This particular hacker/s has to date stolen the data of 932 million users since February. The information was stolen from 44 companies around the world and it is up for sale on the dark web.
The Stolen Data
The report from ZDNet says the stolen data from Canva includes customer usernames, real names, email addresses, and city & country information, where available.
Canva also reported the same thing on its site, adding the hackers also accessed cryptographically protected passwords. Since Canva usernames and passwords are individually salted and hashed with bcrypt, they did not get the passwords.
The bcrypt algorithm is one of the most secure password-hashing algorithms around. Canva user passwords also have random characters designed to increase the complexity for hackers who try to decrypt them.
However, the hacker/s claimed to have obtained OAuth login tokens for users who signed in via Google. But again, Canva says it also encrypts the tokens with AES128 and the encryption keys are stored elsewhere.
As far as financial data, Canva says they only viewed files with partial credit card and payment data. The company says the limited information available on the cards is not enough to use for making payments. It also went on to say they never store full credit card details.
So, what can you do when someone steals your information because the company you do business with is hacked?
Protecting your Digital Presence
The truth is if the company which has been hacked doesn’t know, you are going to be in the dark also. Just as this case highlights, the hacker downloaded data until the company identified the incident. This can be right away or after some time.
If you have a digital presence, the one thing you have to do is stay vigilant. Just because you have a robust security system in place doesn’t mean you’re not going to be hacked.
Canva is now valued at $2.5 billion after raising $70 million in a Series-D funding round. So, it is fair to assume they have some of the best security solutions in place. The point being, if someone wants your data they won’t stop until they get it.
In addition to installing a reliable antivirus and/or anti-malware on your device, make sure to have the latest updates for your hardware and software. Last but not least change your passwords regularly.
Change Passwords Regularly
The fastest way for a hacker to gain access to your system is knowing or cracking your password. If you create a strong password and you change it regularly, you will make it that much harder for hackers.
One of the best ways to generate a strong password is with a password manager. These services are able to generate hard to crack passwords and make them available easily to you. But even if they are hard to crack, you should change your password regularly.
How often should you change your password? Many organizations now have mandatory requirements to change passwords every 60, 90, or 180 days. If you don’t change the password, the system will lock you out.
If you don’t have this type of protocol for you small business, you should implement it right away. This will ensure your employees will change their passwords.
On a personal level you should also adopt this same protocol. With the right password manager, you can change all your passwords in a few minutes and improve your digital security.
If you want to know whether your email account has been compromised you can go to https://haveibeenpwned.com and check it.