Canva Hit With Data Breach – 139 Million Accounts Compromised Drew Wilson | May 30, 2019 Australian based web service Canva is one of the more recent victims of a data breach. 139 million accounts have been reportedly compromised. May is proving to be a pretty bad month for data breaches and leaks. May started off with a bang when a hacker posted half a terabyte of data onto the Tor network. That compromised customer accounts of numerous companies like Oracle, Toshiba, BT, Porsche, and many other companies. After that, another data breach exposed nearly 40% of the entire population of Australia. StackOverflow also suffered from a data breach, but the number of accounts compromised is unknown. Finally, Instagram suffered from a data leak where 49 million accounts were compromised. As we approach the end of the month, it seems the hits just keep on happening. Another data breach has occurred. This time, it is Australian graphic design service Canva who is the latest victim. In all, 139 million accounts have been compromised. From ZDNet: Canva, a Sydney-based startup that’s behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned. Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet. Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning. “I download everything up to May 17,” the hacker said. “They detected my breach and closed their database server.” Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available. For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around. The report goes on to detail how 78 million of those compromised accounts included Google tokens which can be used to log in to the site without a password. Canva, for its part, is investigating the incident, saying that they are asking their users to change their passwords as a precaution. Probably one of the few bits of good news in all of this is that there is no report that credit card information was also compromised. So, the damage can be somewhat limited to compromised login credentials and locations. Still, it’s possible to use such information to access related services with those login credentials. This is especially true for anyone who re-uses the password to anything that is more sensitive such as banking login credentials. So, if that is the case, then those users should consider changing the passwords of those services as well just in case. Drew Wilson on Twitter: @icecube85 and Facebook.