Canva Security Incident – May 24 FAQs
Incident Status Update
Page Updated June 1, 10:13 AEST
Following an investigation with cyber security experts, we now have a better understanding of the impact of the attack and want to provide as much context as we can to our community.
On Friday 24th May 2019, we detected a malicious attack on our systems, which we stopped as it was occurring. Our first response was to lock down Canva, then notify authorities and users that the breach had occurred. Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response.
Since then we have worked with cyber security experts and authorities, such as the FBI, to help protect our users, and are communicating the latest information below.
What did the attacker do?
- They accessed information from our profile database for up to 139 million users. The profile database contains usernames, names, email addresses, country, and optionally, user-supplied data about their city and/or homepage URL which was available through their public profile.
- They accessed cryptographically protected passwords (these were individually salted and hashed with bcrypt) for any of those users with username/password logins.
- They claimed to have obtained OAuth login tokens for users who signed in via Google. Our OAuth tokens are encrypted with AES128 and the encryption keys are securely stored elsewhere. We have found no evidence they downloaded the OAuth tokens or tried to access the keys.
- They briefly viewed files with partial credit card and payment data. We found no evidence these files were stolen. Files contained partial credit card data from before September 28, 2016 (name, expiry date, last 4 digits, card brand and card country), and payment histories from before September 16, 2017 that contained transaction dollar amounts, dates, and IDs for some payments for users and contributors. These limited card details cannot be used for payments. Canva never stores full credit card details.
Designs and images are securely stored in seperate systems. There has been no indication that any user designs or images have been accessed.
What is Canva doing about it?
We continue to invest heavily in security. We intend to publish a technical post mortem of the incident once our investigations are complete. Our first priority, though, is to protect our users. Here’s what we’re doing:
- Notifying our users: We want our users to know that they’ve been affected. We’ve directly contacted users via email, but some users have out-of-date or incorrect email details so we have also used in-app notifications and the press to alert users to the breach. We are following up on our initial notification with individual emails to each user outlining what data was accessed.
- Prompting users to change passwords: We’ve asked all users who had passwords set before the attack to change them, and are adding rules to help users set stronger ones.
- Resetting OAuth tokens: We’ve worked with our partners to make sure all active login tokens that existed prior to the breach are reset. These users will be prompted to reconnect their Canva account.
- Coordinating with partners: We are working with partner agencies to share information about the attack, identify the risk to users, and coordinate responses. For example, we’re alerting the email abuse teams of major providers to make it harder for attackers to phish our users.
- Partnering with 1Password: While we recommend that our users use different passwords for each site they use, we know that’s hard. We have partnered with 1Password to offer a year free to Canva users who don’t already use their service.
What can Canva users do?
- Change your password: If you have a password on Canva and haven’t done so already, we are recommending that everyone change their password on Canva [https://www.canva.com/account/reset/], and if you used the same password on other sites you should change those too.
- Report suspicious emails: As a precaution, we’re encouraging everyone to be wary of suspicious emails. Attackers often use creative methods to trick you into handing over your personal information. If you do receive any emails that you believe are suspicious, do not click on them and do not respond. We encourage you to flag them with your email provider.
- Use a password manager: We recommend you use a password manager such as 1Password or Google Chrome to generate and remember a unique, secure password for each site you use.
- Update your Google/Facebook login if we’ve disconnected it: If you sign in using Facebook or Google we may have reset your login. Just login again to get back into your Canva account.
- Update your contact details: Once you have logged in to Canva, please add or update your contact details so we can always contact you about your account.
A final word
We are deeply sorry that this has happened. Everyone at Canva has been on the receiving end of updates like this, and at a personal level we know how upsetting it can be. We want to rebuild and regain the trust you have given us, and will work hard to earn it.
Head of Security, Canva