As the initial reports in May 2019, the Canva breach incident impacted 137 million subscribers. Canva is one of Australia's biggest tech companies and is a favorite among those who use it to build quick websites, design logos, or put together eye-catching marketing materials. At the Alexa, the website's traffic rank entered the Top 200. So this leakage is really a huge shocking, especially in graphic designers.
The exposed data included:
user address, city of residence
password, in bcrypt hashes
After half a year, On the 11th of January 2020, the Canva officially confirmed that a list of approximately 4 million leaked accounts stolen as part of the breach, and the passwords had been decrypted and shared online. This incident leaked victims' personal information too, like name and address. But the company mainly focus on maintaining its users' account safe. Although the breach took place on a graphic designer web site, it indeed impacted the whole internet, because its hacker and its exposure are so different.
2. Who disclose the breach
Who discloses the breach? Isn't Canva, Isn't victims, it is the hacker itself, who are called GnosticPlayers. On May 24, 2019, the same day of the incident, ZDnet was told of the breach by the hacker in a secret way and publicize it on its website immediately.
GnosticPlayers did this not for fun, but for money. It (maybe he, she, or they) was an infamous player in the dark network, being selling data of 932 million users from 44 companies worldwide when the breach happened.
In most cases, hackers hide on the dark side. But Canva breach was reported to ZDNet just in a few hours after the hacker downloaded data. It's almost at the same moment when the Canva detected its breach and closed its database server.
To prove the breach, the hacker sent a sample of 18K accounts, including the accounts of the Canva's staff and admins. So the victims knowing the incident earliest were those who were in the sample and were verified by the ZDnet. The latter contacted Canva users to ensure the validity of the sample and contacted the site's administrators to inform the breach.
In public view, the breach's disclosing totally reversed the concept of how a cybercriminal was uncovered. A hacker with a large victim's volume and high-light profile, like GnosticPlayers, can behavior in such a shining way.
As Canva's statement, its all passwords are encrypted with the bcrypt algorithm, which currently is considered one of the most secure password-hashing algorithms.
When the incident happened, the company said that it securely stored passwords using the highest standards (hashed with bcrypt) and no evidence showed any users' credentials compromised.
However, after half a year, Canva became aware of 4 million accounts containing decrypted passwords being sold online. On the 11th of January 2020, the company announced to take action immediately to handle the possible decryption of stolen passwords.
The main steps are as follows:
Unchanged passwords are to be restricted to login to Canva.
Commence invalidating unchanged passwords.
Notify users if their passwords in the sold or shared list.
The crack of the highest standard encryption gives both, the service vendors and users, an impressive lesson. The Canva emphasized that it has been 7 months since hackers gained these encrypted password data. In other words, it admitted that hackers can crack them with their resources. And actually, approximately 4 million accounts were decrypted then and available on the internet.
So the conclusion is that there is no safe encryption algorithm, either vendors or users shouldn't trust an algorithm with full confidence. Password and encrypted password like locks, which can block some thieves, but not all of them.
4. What we can learn
Let's back to the key of Canva breach: password.
The breached accounts are about 139 million users. Because 78 million users had a Gmail address associated with their Canva account, who used Google token to access Canva. (Unfortunately, these tokens were leaked too.) Therefore, the actual breached passwords are 60 million around.
We have numbers:
Breached passwords: 60 million
Decrypted passwords: 4 million (after 6 months)
It means after half a year, less than one-tenth of passwords are decrypted. So these tips will increase your information security.
Update password as soon as you get the breach news or warning.
Regularly update password per 2-3 months, in case of any unknown leakage.
Choose complex passwords for critical accounts to prolong the time to decrypt it.