Canva Hacking 2019 of GnosticPlayers

Breach and Leak Report: The Canva breach incident impacted 137 million subscribers, 78 million Gmail tokens were leaked too. The special thing of the breach was GnosticPlayers exposed it itself.

 Learn how to check breach in 5 minutes
 Tips about Data Breach
 By Jackson WhiteBack to Breach List  
Canva Hacking 2019 of GnosticPlayers
1. Overview
Equifax Data BreachThe Canva breach incident impacted 137 million subscribers. Because 78 million users had a Gmail address associated with their Canva account, these tokens were leaked too. As for the actual breached passwords of 60 million around, 4 million were decrypted and shared online. The most remarkable thing about the breach was the hacker, GnosticPlayers, exposed it to the media itself.

As the initial reports in May 2019, the Canva breach incident impacted 137 million subscribers. Canva is one of Australia's biggest tech companies and is a favorite among those who use it to build quick websites, design logos, or put together eye-catching marketing materials. At the Alexa, the website's traffic rank entered the Top 200. So this leakage is a huge shock, especially for graphic designers.

The exposed data included:
  • email
  • username
  • real name
  • user address, city of residence
  • password, in bcrypt hashes
After half a year, on January 11, 2020, Canva officially confirmed a list of approximately 4 million leaked accounts stolen as part of the breach. The passwords had been decrypted and shared online. Although the breach occurred on a graphic designer website, it impacted the whole internet because its hackers and exposure are so different. Besides, the incident also leaked victims' personal information, like names and addresses. But the company mainly focus on maintaining its users' account safe.

2. Who disclose the breach
Equifax Data BreachWho discloses the breach? Isn't Canva? It isn't victims. It is the hacker itself, who are called GnosticPlayers. On May 24, 2019, the same day as the incident, the hacker secretly told ZDNet about the breach and immediately publicized it on its website.

GnosticPlayers did this not for fun but for money. It (maybe he, she, or they) was an infamous player in the dark network, selling data of 932 million users from 44 companies worldwide when the breach happened.

In most cases, hackers hide on the dark side. But Canva breach was reported to ZDNet just a few hours after the hacker downloaded data. It's almost at the exact moment when Canva detected its breach and closed its database server.

The hacker sent a sample of 18K accounts to prove the breach, including Canva's staff and admins. The latter contacted Canva users to ensure the validity of the selection and reached the site's administrators to inform the breach. So the earliest victims who knew the incident were those in the example and were verified by the ZDnet.

In public view, the breach's disclosing reversed the concept of how a cybercriminal was uncovered. A hacker with a significant victim's volume and high-light profile, like GnosticPlayers, can behave in a shining way.

More reading: Story from ZDnet

3. Is encryption useful
As Canva's statement, its passwords are encrypted with the bcrypt algorithm, which is currently considered one of the most secure password-hashing algorithms.

When the incident happened, the company said that it securely stored passwords using the highest standards (hashed with bcrypt), and no evidence showed any users' credentials compromised.

However, after half a year,  Canva became aware of 4 million accounts containing decrypted passwords being sold online. On January 11, 2020, the company announced immediately taking action to handle the possible decryption of stolen passwords.

The main steps are as follows:
  • Unchanged passwords are to be restricted to login to Canva.
  • Commence invalidating unchanged passwords.
  • Notify users if their passwords are in the sold or shared list.
The crack of the highest standard encryption gives both the service vendors and users an impressive lesson. The Canva emphasized that it has been seven months since hackers gained these encrypted password data. In other words, it admitted that hackers could crack them with their resources. And actually, approximately 4 million accounts were decrypted then and available on the internet.

So the conclusion is that there is no safe encryption algorithm; either vendors or users shouldn't trust an algorithm with complete confidence. Password and encrypted passwords like locks can block some thieves, but not all of them.

4. What we can learn
Let's back to the key of the Canva breach: password.

The breached accounts are about 139 million users because 78 million users had a Gmail address associated with their Canva account, who used Google token to access Canva. (Unfortunately, these tokens were leaked too.) Therefore, the actual breached passwords are  60 million around.

We have numbers:
  • Breached passwords: 60 million
  • Decrypted passwords: 4 million (after six months)
It means after half a year, less than one-tenth of passwords are decrypted. So these tips will increase your information security.

  1. Update password as soon as you get the breach news or warning.
  2. Regularly update password per 2-3 months, in case of any unknown leakage.
  3. Choose complex passwords for critical accounts to prolong the time to decrypt it.