Canva, an Australian web design service have been hacked with claims to have mad off with data of 139 million users.
Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, they have put up for sale on the dark web the data of 932 million users, which they stole from 44 companies from all over the world.
This data includes names, email addresses, city and country information.If you’ve ever signed up for Canva, you should probably change your Canva account password. If you’ve ever used that same password elsewhere, definitely change it on those other services.
However, Canva also lets you use its services by signing in with your Google or Facebook accounts, and there is no evidence that those accounts are in any danger from this breach.
“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised,” the company reportedly said. “As a safeguard, we are encouraging our community to change their passwords as a precaution.
The passwords may remain unreadable to the hacker but as best practice, Canva has sent email notifications requesting users to change their password.
For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around
Bcrypt is a strong and slow password-hashing algorithm that was designed to be difficult and time-consuming for a “cracker” to reverse. (Hashing is one-way encryption for items that are not meant to be decrypted.) Each password was “salted” with additional random data to make hash-cracking even more difficult.
Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.