Welcome! How can we help?

Sorry, there are no results.
Menu

Home

Getting Started

Navigate Your Homepage

Create Your Design

Canva Pro

Team Settings

Billing and Plans

Publish

Contributors

Canva Print

Canva for Android

Canva for iOS (iPhone and iPad)

Canva Pro on iOS

Canva Pro on Android

Legal

Contact us

Introduction to Canva

Design with Canva

Publish Anywhere

Working as a Team

Good to Know

Your Canva Homepage

Templates (Layouts)

Elements

Uploads

Apps

Search

Grids and Frames

Text and Textholders

Photos

Backgrounds

Graphics

Charts

Page Setup

Folders

Lock elements in your design

Security

Reset your password

Canva Glossary

Nonprofit Program

Log In and Out

Transferring designs

Getting Started with Canva Pro

Commenting on designs

Brand Kit Pro

Animation Pro

Folders Pro

Free Content

Magic Resize Pro

Publish Pro

Team Templates

Text Pro

Uploads Pro

Creating a Canva Team

Adding and removing members

Roles and Permissions in Canva

Change your team name

Purchasing premium elements

Invoicing

Payment Options

Change/Cancel your Canva Pro plan

Billing for China

Share to social media

Save

Download

Advanced download options

Share your design

Printing

Watermarks

Schedule

Preparing Photos for Canva

Preparing Vectors for Canva

File Transfer Protocol (FTP)

Contributor FAQ's

Contributor Help

Preparing your design for print

Manage and Track Your Order

Sending your design to print

Product Information

Pricing Information

Design Guidelines

Print Customer Service Policy

Shipping Information

Create your design on Android

Search for Android

Photos and videos for Android

Objects for Android

Text for Android

Saving and sharing for Android

Billing for Android

Teams for Android

Create your design on iOS

Layouts for iOS

Search for iOS

Photos and videos for iOS

Objects for iOS

Text for iOS

Saving and sharing for iOS

Billing for iOS

Teams for iOS

Getting Started with Canva Pro on iOS

Brand Kit (iOS)

Images Pro for iOS

Canva Pro features (iOS)

Brand Kit (Android)

Canva Pro features (Android)

Getting started with Canva Pro on Android

Images Pro for Android

Licensing

Privacy

Terms of Use

Send us a Legal query

Customer support

Something's not working

Canva Security Incident – May 24 FAQs

Incident Status Update


Page Updated June 1, 10:13 AEST

Following an investigation with cyber security experts, we now have a better understanding of the impact of the attack and want to provide as much context as we can to our community.

On Friday 24th May 2019, we detected a malicious attack on our systems, which we stopped as it was occurring. Our first response was to lock down Canva, then notify authorities and users that the breach had occurred. Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response.

Since then we have worked with cyber security experts and authorities, such as the FBI, to help protect our users, and are communicating the latest information below.

What did the attacker do?


  • They accessed information from our profile database for up to 139 million users. The profile database contains usernames, names, email addresses, country, and optionally, user-supplied data about their city and/or homepage URL which was available through their public profile.
  • They accessed cryptographically protected passwords (these were individually salted and hashed with bcrypt) for any of those users with username/password logins.
  • They claimed to have obtained OAuth login tokens for users who signed in via Google. Our OAuth tokens are encrypted with AES128 and the encryption keys are securely stored elsewhere. We have found no evidence they downloaded the OAuth tokens or tried to access the keys.
  • They briefly viewed files with partial credit card and payment data. We found no evidence these files were stolen. Files contained partial credit card data from before September 28, 2016 (name, expiry date, last 4 digits, card brand and card country), and payment histories from before September 16, 2017 that contained transaction dollar amounts, dates, and IDs for some payments for users and contributors. These limited card details cannot be used for payments. Canva never stores full credit card details.

Designs and images are securely stored in seperate systems. There has been no indication that any user designs or images have been accessed.

What is Canva doing about it?


We continue to invest heavily in security. We intend to publish a technical post mortem of the incident once our investigations are complete. Our first priority, though, is to protect our users. Here’s what we’re doing:

  • Notifying our users: We want our users to know that they’ve been affected. We’ve directly contacted users via email, but some users have out-of-date or incorrect email details so we have also used in-app notifications and the press to alert users to the breach. We are following up on our initial notification with individual emails to each user outlining what data was accessed.
  • Prompting users to change passwords: We’ve asked all users who had passwords set before the attack to change them, and are adding rules to help users set stronger ones.
  • Resetting OAuth tokens: We’ve worked with our partners to make sure all active login tokens that existed prior to the breach are reset. These users will be prompted to reconnect their Canva account.
  • Coordinating with partners: We are working with partner agencies to share information about the attack, identify the risk to users, and coordinate responses. For example, we’re alerting the email abuse teams of major providers to make it harder for attackers to phish our users.
  • Partnering with 1Password: While we recommend that our users use different passwords for each site they use, we know that’s hard. We have partnered with 1Password to offer a year free to Canva users who don’t already use their service.

What can Canva users do?


  • Change your password: If you have a password on Canva and haven’t done so already, we are recommending that everyone change their password on Canva [https://www.canva.com/account/reset/], and if you used the same password on other sites you should change those too.
  • Report suspicious emails: As a precaution, we’re encouraging everyone to be wary of suspicious emails. Attackers often use creative methods to trick you into handing over your personal information. If you do receive any emails that you believe are suspicious, do not click on them and do not respond. We encourage you to flag them with your email provider.
  • Use a password manager: We recommend you use a password manager such as 1Password or Google Chrome to generate and remember a unique, secure password for each site you use.
  • Update your Google/Facebook login if we’ve disconnected it: If you sign in using Facebook or Google we may have reset your login. Just login again to get back into your Canva account.
  • Update your contact details: Once you have logged in to Canva, please add or update your contact details so we can always contact you about your account.

A final word


We are deeply sorry that this has happened. Everyone at Canva has been on the receiving end of updates like this, and at a personal level we know how upsetting it can be. We want to rebuild and regain the trust you have given us, and will work hard to earn it.

Sebastian Welsh
Head of Security, Canva

Was this article helpful ?

Not really Yes, thanks

People also viewed