Canva Users Are Advised to Change Their Passwords After a Data Breach
Learning that an online service with hundreds of millions of users has found itself on the receiving end of a cyberattack is never a good thing. However, many different factors regarding the nature of the breached data and the way the company is handling the issue can make the difference between a relatively negligible problem and a complete disaster. Online graphic design platform Canva suffered a data breach on Friday, and it must be said that on the face of it at least, things don't look too bad.
Canva made the breach public immediately
Canva wasted no time making the breach public. As we mentioned already, the hackers attacked on May 24, and less than 24 hours later, the graphic design service already had an FAQ page set up. At first glance, the disclosure seems pretty detailed as well.
The company said that its IT team noticed unusual activity on Friday and, after a brief investigation, realized that someone was accessing people's email addresses and usernames. Canva pointed out that the attackers haven't stolen any designs and that people's payment information is safe because it is handled and stored by a secure payment processor. It also said that it hashes and salts users' passwords with bcrypt, which means that although the crooks managed to get their hands on the hashes, they can't use them. Nevertheless, the company said that users should think about changing their passwords "as a precaution".
Based on all this, there isn't much Canva can be criticized for. A bit more detailed analysis reveals, however, that one or two mistakes were made.
Canva was allegedly hit by an infamous hacker
Canva did indeed announce the attack mere hours after it happened, but it was beaten to it by ZDNet's Catalin Cimpanu who broke the news on Friday after being tipped off by a hacker known as GnosticPlayers. GnosticPlayers, for those of you who don't know, has been leaking stolen login credentials for the last few months. Whoever is behind the nickname claims that they have now released more than 1 billion records which they single-handedly obtained from various online services.
They told ZDNet that they are responsible for the Canva breach and claimed that they managed to compromise the data of around 139 million users – a figure that's missing from Canva's own notification. After receiving a sample, ZDNet confirmed that GnosticPlayers did indeed have valid data and that contrary to what Canva said on its FAQ page, the real names and location of some users were also leaked during the attack.
The biggest mistake Canva made when handling the incident, however, was the initial email it sent to affected users. Instead of getting to the point immediately and telling people what they need to know and do, the first batch of messages started off with a paragraph which talked about recent acquisitions, "a new browse experience", and other things that had nothing to do with the fact that users' data had been accessed by a hacker. It wasn't until the second paragraph that Canva finally spilled the beans.
Many people might view this as an attempt to downplay the attack. More worrying, however, is the fact that the marketing team's efforts increase the likelihood of many users completely failing to get the information they need. Just think about how many emails you've received from online services that are bragging about new features they're introducing. Now try to remember how many of those you've deleted after barely reaching the second sentence.
After receiving some much-deserved criticism on Twitter, Canva changed the email and removed the unnecessary fluff.
The limited amount of exposed data means that people affected by the Canva breach don't have too many things to worry about. That being said, the mistakes Canva made serve as yet another proof that the transparent disclosure of this type of incident is just as important as the precautions that are put in place in order to prevent it. Let's hope that everybody has learned their lesson.