Welcome! How can we help?

Sorry, there are no results.
Menu

Home

Getting Started

Navigate Your Homepage

Create Your Design

Canva Pro

Team Settings

Billing and Plans

Publish

Contributors

Canva Print

Canva for Android

Canva for iOS (iPhone and iPad)

Canva Pro on iOS

Canva Pro on Android

Canva Button

Legal

Contact us

Introduction to Canva

Design with Canva

Publish Anywhere

Working as a Team

Good to Know

Your Canva Homepage

Templates (Layouts)

Elements

Uploads

Apps

Search

Grids and Frames

Text and Textholders

Photos

Backgrounds

Graphics

Charts

Page Setup

Folders

Lock elements in your design

Security

Reset your password

Canva Glossary

Nonprofit Program

Log In and Out

Transferring designs

Referral rewards

Canva for Education

Getting Started with Canva Pro

Brand Kit Pro

Animation Pro

Folders Pro

Free Content

Magic Resize Pro

Publish Pro

Team Templates

Text Pro

Uploads Pro

Creating a Canva Team

Adding and removing members

Roles and Permissions in Canva

Change your team name

Commenting on designs

Purchasing premium elements

Invoicing

Payment Options

Change/Cancel your Canva Pro plan

Billing for China

Share to social media

Save

Download

Advanced download options

Share your design

Printing

Watermarks

Preparing Photos for Canva

Preparing Vectors for Canva

File Transfer Protocol (FTP)

Contributor FAQ's

Contributor Help

Preparing your design for print

Manage and Track Your Order

Sending your design to print

Product Information

Pricing Information

Design Guidelines

Print Customer Service Policy

Shipping Information

Create your design on Android

Search for Android

Photos and videos for Android

Objects for Android

Text for Android

Saving and sharing for Android

Billing for Android

Teams for Android

Create your design on iOS

Layouts for iOS

Search for iOS

Photos and videos for iOS

Objects for iOS

Text for iOS

Saving and sharing for iOS

Billing for iOS

Teams for iOS

Getting Started with Canva Pro on iOS

Brand Kit (iOS)

Images Pro for iOS

Canva Pro features (iOS)

Getting started with Canva Pro on Android

Brand Kit (Android)

Canva Pro features (Android)

Images Pro for Android

Using the Canva Button

Issues using the Canva Button

Apply for a Canva Button

Licensing

Privacy

Terms of Use

Send us a Legal query

Customer support

Something's not working

Canva Security Incident – May 24 FAQs

Incident Status Update


Page Updated August 10, 23:25 AEST

Some of our users have recently been notified by haveibeenpwned.com (HIBP) and Firefox Monitor of a security breach that occurred on the 24th May 2019. You can read more about the attack, how we responded, and what we did here

The content of these notifications are accurate, and we’re grateful to HIBP and Firefox Monitor for the service they provide to the community.

For some people with Canva accounts it appears that this security notification has come as a surprise. This is regrettable. As part of our incident response, one of the first things we did was to try to contact affected users via email and through in-app alerts.

The HIBP notification has led some users to ask if their passwords were compromised. The simple answer is no. What was accessed was individually salted and bcrypt-hashed passwords. For non-technical users, this is like a super-secure one-way door that converts your password into something that is incredibly hard to convert back into the original password, even with the strongest computers.

The way we store passwords makes password guessing incredibly difficult but it’s not impossible, and it’s easier if you have easy-to-guess passwords, such as password1, 123456! or Alex1997. So to protect our users on Canva, and elsewhere, we’ve requested all our users to change their passwords on Canva, and anywhere else they’ve used the same password. To help all our users avoid this risk, we’ve partnered with 1Password to offer one year of free access to their password manager service, as well as implemented stronger password checks within Canva.

Since the incident, we’ve introduced a number of internal changes to protect your data. Working closely with leading cyber security consultancy, Mandiant and other partners, we’ve identified the extent of the attack and the causes of it, and made changes to our systems to build an additional layer of protection for our users. We’ll be providing a postmortem of the incident in due course, but in the meantime if you have any further questions, or would like to learn more about the measures we’ve taken to ensure your data is secure on Canva, please feel free to reach us at [email protected].

 



June 1, 10:13 AEST

Following an investigation with cyber security experts, we now have a better understanding of the impact of the attack and want to provide as much context as we can to our community.

On Friday 24th May 2019, we detected a malicious attack on our systems, which we stopped as it was occurring. Our first response was to lock down Canva, then notify authorities and users that the breach had occurred. Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response.

Since then we have worked with cyber security experts and authorities, such as the FBI, to help protect our users, and are communicating the latest information below.

What did the attacker do?


  • They accessed information from our profile database for up to 139 million users. The profile database contains usernames, names, email addresses, country, and optionally, user-supplied data about their city and/or homepage URL which was available through their public profile.
  • They accessed cryptographically protected passwords (these were individually salted and hashed with bcrypt) for any of those users with username/password logins.
  • They claimed to have obtained OAuth login tokens for users who signed in via Google. Our OAuth tokens are encrypted with AES128 and the encryption keys are securely stored elsewhere. We have found no evidence they downloaded the OAuth tokens or tried to access the keys.
  • They briefly viewed files with partial credit card and payment data. We found no evidence these files were stolen. Files contained partial credit card data from before September 28, 2016 (name, expiry date, last 4 digits, card brand and card country), and payment histories from before September 16, 2017 that contained transaction dollar amounts, dates, and IDs for some payments for users and contributors. These limited card details cannot be used for payments. Canva never stores full credit card details.

Designs and images are securely stored in seperate systems. There has been no indication that any user designs or images have been accessed.

What is Canva doing about it?


We continue to invest heavily in security. We intend to publish a technical post mortem of the incident once our investigations are complete. Our first priority, though, is to protect our users. Here’s what we’re doing:

  • Notifying our users: We want our users to know that they’ve been affected. We’ve directly contacted users via email, but some users have out-of-date or incorrect email details so we have also used in-app notifications and the press to alert users to the breach. We are following up on our initial notification with individual emails to each user outlining what data was accessed.
  • Prompting users to change passwords: We’ve asked all users who had passwords set before the attack to change them, and are adding rules to help users set stronger ones.
  • Resetting OAuth tokens: We’ve worked with our partners to make sure all active login tokens that existed prior to the breach are reset. These users will be prompted to reconnect their Canva account.
  • Coordinating with partners: We are working with partner agencies to share information about the attack, identify the risk to users, and coordinate responses. For example, we’re alerting the email abuse teams of major providers to make it harder for attackers to phish our users.
  • Partnering with 1Password: While we recommend that our users use different passwords for each site they use, we know that’s hard. We have partnered with 1Password to offer a year free to Canva users who don’t already use their service.

What can Canva users do?


  • Change your password: If you have a password on Canva and haven’t done so already, we are recommending that everyone change their password on Canva [https://www.canva.com/account/reset/], and if you used the same password on other sites you should change those too.
  • Report suspicious emails: As a precaution, we’re encouraging everyone to be wary of suspicious emails. Attackers often use creative methods to trick you into handing over your personal information. If you do receive any emails that you believe are suspicious, do not click on them and do not respond. We encourage you to flag them with your email provider.
  • Use a password manager: We recommend you use a password manager such as 1Password or Google Chrome to generate and remember a unique, secure password for each site you use.
  • Update your Google/Facebook login if we’ve disconnected it: If you sign in using Facebook or Google we may have reset your login. Just login again to get back into your Canva account.
  • Update your contact details: Once you have logged in to Canva, please add or update your contact details so we can always contact you about your account.

A final word


We are deeply sorry that this has happened. Everyone at Canva has been on the receiving end of updates like this, and at a personal level we know how upsetting it can be. We want to rebuild and regain the trust you have given us, and will work hard to earn it.

Sebastian Welsh
Head of Security, Canva

Was this article helpful ?

Not really Yes, thanks

People also viewed