Eighth day of Hackmas: The Aussie unicorn is breached
Canva is one of Australia’s biggest software companies and is a heralded “tech unicorn” due to its $1B+ valuation. It is an online service that can be used to design and create content, logos, or other marketing collateral.
The breach saw the data of 139 million users such as usernames, names, email addresses, country and user-supplied data about their location being compromised.
The passwords were stored in a “hash” (think of it like encryption, kind of) and for some accounts that linked their Google accounts to Canva to login, those oAuth tokens were compromised.
Partial credit card information was also compromised, however Canva confirmed that they couldn’t be used for payments.
The size of the breach (which Canva’s security team detected mid-way through and stopped the full download) was roughly 139 million user details and password hashes for 61 million users.
The good news is that Canva did take considerable efforts to circumvent such an attack, and whilst the unencrypted data that was exposed is of value, the passwords and oAuth tokens were encrypted and importantly – stored in an another location.
Canva also advised all users to change their passwords (despite assuring everyone that their password was safe). It is another friendly remind as to why you should have a different password for each of your online accounts.
Could this have been prevented?
This one is all about the response which was widely critised but fundamentally was pretty sound. Canva offered clients a year of 1Password (a Password Management tool). Canva provided a blog update to their user base explaining what the breach meant and how users could better protect themselves in the future.