What Happened
In May 2019, graphic design platform Canva suffered a data breach detected on May 24, when hacker GnosticPlayers accessed its profile database, compromising data from approximately 137-139 million user accounts, including usernames, email addresses, names, cities/countries of residence, and bcrypt-hashed passwords for about 61 million users without social logins (plus encrypted Google OAuth tokens for others). Canva promptly locked down systems, notified users and authorities (including the FBI), reset affected passwords and tokens, and recommended immediate password changes; by January 2020, about 4 million decrypted passwords from the breach surfaced online, prompting further resets for unchanged accounts. No full credit card details or user designs were stolen, though partial legacy payment info was briefly viewed but not exfiltrated, and the company later enhanced security with audits, better encryption, and MFA.
