This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Canva

Summary

Canva, the Sydney-based graphic design platform, suffered a major data breach on 24 May 2019 affecting approximately 139 million user accounts globally. While Canva is a global platform, the breach of this major Australian technology company represented one of the largest data breaches involving an Australian-headquartered organisation. User information including email addresses, names, usernames, cities of residence, and hashed passwords was compromised.

Attack Vector

Hacking. An attacker gained unauthorised access to Canva's user database through a sophisticated attack on the company's systems. The breach exposed usernames, email addresses, names, cities of residence, and hashed passwords with salt. Hacker group Gnostic Players claimed responsibility for the breach. For users who authenticated through Google or Facebook, login credentials were not stored by Canva and were not exposed. Some OAuth tokens for Google and Facebook logins were also compromised.

Consumer Impact

  • Massive Scale: 139 million accounts affected globally, making this one of Australia's largest tech breaches
  • Password Reuse Risk: While passwords were hashed and salted, users who reused the same password across multiple sites faced account takeover risk if the passwords could be cracked
  • Phishing Potential: The exposure of such a large email database enabled targeted phishing campaigns
  • Australian Impact: Given Canva's origins and strong Australian market presence, Australian users represented a substantial portion of the affected user base

Response

Canva immediately secured the breach point, invalidated all user passwords and forced password resets across the entire platform, and directly notified all 139 million affected users via email. The company engaged leading cybersecurity forensic experts, implemented enhanced security measures including improved intrusion detection, and provided detailed technical disclosure about the incident. However, Canva faced some criticism for what security experts described as "marketing fluff" in its initial communications, which some felt downplayed the seriousness of the breach. Co-founder Melanie Perkins publicly addressed the incident and committed to ongoing security improvements.

Verification Source: View original statement