Canva安全事件 - 5月24日 常见问题

事件状态更新

Page Updated May 30, 19:14 AEST –

On Friday, May 24, 2019 (AEST) we became aware of an in-progress malicious attack on our systems. Our team worked to ensure it was immediately contained and have been working around the clock since then to ensure we have taken every possible precaution to prevent another attack. 

We are continuing to work with forensic security firm, Mandiant, as well as authorities including the FBI and AFP, to understand all aspects of the incident and provide the best advice to our customers.

常见问题

What should I do?
As a precaution, we recommend changing your Canva password. If you use the same email and password on other sites you should change the password on those sites too. We recommend you use a password manager (such as 1password) to generate and securely store passwords.

What information of mine was involved?
The malicious attacker accessed a number of Canva usernames and email addresses. The attacker also obtained cryptographically secure passwords (all passwords were individually salted and hashed with bcrypt). While this is industry best practice, it is possible to crack weak or obvious passwords with the use of enough computing power. For this reason, we recommend you change your password.

Were my designs or images accessed?
Designs and images are securely stored in separate systems. There has been no indication that any user designs or images have been accessed.  

Have my credit card details been compromised?
At Canva, all our online payments are handled securely. We do not handle or keep any sensitive credit card payment information on Canva.

When did the breach happen?
On Friday, May 24, 2019 (AEST) we became aware of an in-progress, malicious attack on our systems. As soon as we were notified, we immediately took steps to identify and remedy the cause, and reported the situation to authorities (including the FBI).

Who is responsible for this incident?
The person behind the attack was a malicious hacker who is well known to authorities. We take our privacy obligations very seriously and are investing significant resources into investigating this incident. We have engaged leading consultants, including forensic security firm Mandiant, to help us understand exactly what happened, and will continue to work with law enforcement and government security bodies as required.

What steps is Canva taking to resolve the data breach?
As soon as we became aware, Canva immediately took steps to shut down the attack, and alert law enforcement. We have closed the vulnerability that lead to the attack, and have strengthened our security measures across our systems.

Why haven’t I been directly contacted about this by Canva?
We are continuing to reach out to everyone in our community. Sending tens of millions of emails  is a complex task, but we are committed to informing everyone who has been affected. In some cases we have found that customers’ email addresses were not up-to-date or incorrect, so we will do our best to reach you but we may be unable to.

Who do I contact for more information?
You can contact us with any questions at [email protected]. If you receive any suspicious emails, you can forward them to [email protected], and we will pass these along to the appropriate authorities.  

Does this mean my Facebook and/or Google login details have been compromised?
If you use Facebook or Google to log into Canva, rest assured those credentials are also encrypted and unreadable by external parties, so you do not have to change your password on Facebook or Google. However, it’s always good practice to change your password regularly.

What information of mine was involved?
The security incident enabled access to a number of Canva usernames and email addresses. Passwords in their cryptographically secure form were also obtained (for technical people: all passwords were salted and hashed with bcrypt); this means that all Canva user passwords remain unreadable by external parties.