Data breaches are common with renowned websites and services worldwide. A cyberattack on one service’s website can cause significant damage to user data and the organisation’s reputation. A few years ago, Canva, the world-renowned photo-editing software, reported several attacks on its user database.

This article sheds light on the Canva data breach, what happened, what the attackers did and how Canva responded to the jeopardy its users faced.

What is a Data Breach?

A data breach is an incident where sensitive, protected information is accessed or disclosed without authorisation. It occurs when unauthorised individuals or groups gain access to this information. The sensitive data can include personal information (such as names, addresses and email addresses) and financial information (like banking information and credit card numbers). A data breach can include intellectual property information (such as trade secrets, patents and copyrights).

What is Canva?

Canva Data Breach, the platform's official website
Canva Data Breach, the platform’s official website

Canva is a popular online graphic design platform used by millions worldwide. The platform allows users to create great visual art such as social media graphics, presentations, posters and more. A free basic plan on Canva’s website and a paid subscription offer additional features and benefits.

Canva is ideal for individuals looking for easy-to-use design tools. It allows businesses and organisations to create professional-looking visuals while social media managers can craft engaging content. Even students and educators can utilise Canva’s tools to make presentations and other explanatory materials.

What are Canva’s Features?

The platform allows users from various backgrounds to create unique and appealing visuals, whether images or videos. The tool’s features allow them to create logos, layered images, presentations and edit videos. Here’s a quick overview of these creative features.

Design Templates

Canva’s vast library of professionally designed templates serves various design needs. These include social media posts, presentations, marketing materials, posters and more. The templates represent a superb starting point for users aiming to create professional-looking designs without starting from scratch.

A Vibrant Drag-and-Drop Interface

If you’ve used the platform before or looking forward to getting started, worry not. The tool has a user-friendly drag-and-drop interface, making it easy for anyone to create designs, regardless of their design experience. Users can intuitively drag and drop elements such as text, images, shapes and icons onto the canvas to create their desired layout or design.

Extensive Image and Element Library

Canva’s library includes free and premium images, illustrations, icons and other elements for users to incorporate into their designs. This eliminates the need to search for images elsewhere, saving time and effort, especially with a deadline. The users’ touch and additions make the designs unique and stand out.

Text Editing and Adding Effects

By using Canva, you can benefit from its various text editing tools and effects, allowing users to customise their text with multiple fonts, colours, sizes and styles. They can also add text effects such as shadows, outlines and gradients to highlight the text further and make it stand out.

Collaboration Tools

Canva’s collaboration tools allow real-time collaboration, enabling teams to work on designs together simultaneously. This valuable feature is essential for businesses and organisations that must create designs as a team, allowing the true manifestation of team spirit.

Brand Kit Integration

If you have a brand identity and would like to create images that align with this identity, you can easily integrate the brand identity into the platform by uploading all its files, such as logos, fonts and colour pallets. This ensures that all your designs are consistent with your brand image.

Social Media Scheduling

Canva integrates with major social media platforms, allowing users to schedule their designs to be published automatically. This saves time and helps ensure your social media content is consistent and well-planned. It also helps achieve your social media marketing strategy by engaging users with eye-catching content.

What are Canva’s Plans and Pricing?

Canva Data Breach, There are free and paid options available to register with the platform
Canva Data Breach, There are free and paid options available to register with the platform

There are free and paid options available to register with the platform. The free options include options for individuals and registered charities, an incredible gesture from the platform’s team. Obtaining the free versions is basic for individuals; you simply register your email and create your profile, and this individual account serves only one person. If you’re a non-profit organisation, you can read the platform’s eligibility guidelines and apply accordingly.

Canva Pro, for individuals, costs nearly $4 per month and $32 per year for one person and unlocks unlimited templates, compared to the limit of 250,000 templates in the free version, just to cite one difference. The Business Plan, also known as the Teams Plan, has several pricing options depending on the number of your employees. You can choose packages from 1-5, up to 50 people, and the prices change accordingly. It’s worth noting that Canva Pro and Canva for Teams have a free trial to familiarise themselves with the platform.

The platform has specified an educational corner that offers design capabilities for students, college students and even teachers and educators from all walks of life. You can even integrate Canva with your learning management system and use it for case studies.

What is the Canva Data Breach?

As stated on Canva’s website, there has been a major data breach of the platform’s data. This data breach initially occurred in May 2019, although its full implications weren’t uncovered until the following year. We’re shedding light on this data breach, citing what happened, what data was compromised and how Canva responded to the attack. We applaud the platform’s transparency by sharing this information on their official website for their customers to watch out for.

Canva Data Breach 2019/2020

According to the platform’s official Security Incident Report, a data breach affecting nearly 139 million users took place. The report declared that in May 2019, cyber attackers hacked into the platform’s database and could view the users’ profiles and access their protected passwords. Furthermore, the attackers viewed users’ financial information files, such as credit card numbers. They allegedly stole OAuth login tokens used through Google to sign in, although no evidence of these two incidents was found.

What Did the Attackers Do?

  1. The attackers stole email addresses and usernames, which can be used for targeted phishing attacks and spam emails.
  2. They stole affected users’ names and city/country information, which raises the danger of stalking and building detailed individual profiles.
  3. Stolen password hashes can be easily cracked using proper techniques, especially if the hashing algorithm is weak.
  4. Stolen partial credit card details can be used for fraudulent transactions when combined with other stolen data.
  5. Seven months after the initial attack took place, the hackers made the login information and credentials of almost 4 million Canva users available online, jeopardising user information.  

How Did Canva Respond to the Attack?

Canva Data Breach, the platform has been transparent about the attack
Canva Data Breach, the platform has been transparent about the attack

Canva has been transparent about the attack immediately after discovery and shared the findings of their investigation over several official briefs and any protective measures they were undertaking. The platform discovered the attack as it was still underway; if they hadn’t, the attackers could’ve possibly stolen more data. The platform shut down its services temporarily and notified the authorities to assist in responding appropriately.

Here’s the platform’s official response plan:

  1. Canva proactively reset passwords for all affected users, forcing them to choose new and stronger passwords. It declared that if a user had changed their password during the seven-month period after the attack, they needn’t change it again.
  2. In January 2020, Canva proactively changed the passwords of all affected users who hadn’t responded to their notification to do so, notified the users of such changes and requested these users to verify their identity to regain access.
  3. The platform also notified users with decrypted passwords to change the credentials of any other platforms for which they used the same password.
  4. Upon discovering the compromised 4 million user accounts made available online, Canva immediately contacted users to change their credentials and restricted access to any of the four million accounts with unchanged passwords following the attack.
  5.  Canva added a multi-factor authentication step to significantly increase security by requiring an additional verification step beyond just a password.
  6. Since the attack, the platform has been investing in improving its security infrastructure and protocols to prevent future breaches. Such measures include enhanced data encryption, intrusion detection systems and vulnerability management.
  7. Canva has been actively working and sharing information about the attack with active partners to prevent the phishing of user data.
  8. The platform has partnered with 1Password, a solid password manager, to provide users with a free year’s license for the manager’s services to ensure the safety of their passwords.

Canva User Recommendations

In addition to the platform’s steps after the attack, it urged users to take further steps to protect their information. These steps included regularly changing passwords and averting from using one password for multiple websites.

  1. Users are encouraged to use password managers to secure their passwords safely.
  2. If a Canva user received a suspicious email, the platform advised not to click on any links or download any attachments; it could be a phishing attempt. When in doubt, it’s best to contact the platform’s support.
  3. If a user logged into Canva using their Google or Facebook accounts, the platform recommended changing the passwords of these services for extra security.
  4. Canva pled with users to confirm their contact information after regaining access to their accounts to facilitate future communications.

It’s worth noting that not all 139 users were equally affected. Some users’ basic information had been exposed, while others might have had password hashes or partial credit card details leaked. We must also stress that security measures aren’t enough; using strong, unique passwords for each online account is crucial. Regularly check for updates and announcements from Canva regarding their security practices and any potential future breaches.

The Canva data breach highlights the importance of data security and individual vigilance. While companies must implement robust security measures, users must also practice good cyber hygiene to protect their information.