How Did The Canva Data Breach Happen

Today, we will be discussing a topic that is becoming more and more unsettling in the age of digital information – data breaches. In particular, we will be looking at one of the most significant breaches in recent years, the Canva data breach. So, what exactly happened during the Canva data breach?


In May 2019, the Australian-based graphic design tool website, Canva, suffered a massive data breach. This breach affected approximately 139 million users worldwide, leading to the compromise of their names, usernames, addresses, cities of residence, and password hashes.

What Happened?

The Canva data breach was orchestrated by a notorious hacker referred to as GnosticPlayers. The hacker targeted weaknesses in Canva’s systems to gain unauthorized access to user data. The breach resulted in the exposure of a treasure trove of user information. Approximately 139 million user datasets were compromised, putting a significant number of Canva’s customer base at risk.

The Technicalities

The hacker exploited an inadequately secured backend database to gain unauthorized access to the system. They took advantage of a Zero-Day vulnerability — a flaw unknown to the software vendor — in Canva’s system, and once inside, they had nearly unrestricted access to user data.

It is important to note that the passwords were hashed using the bcrypt algorithm, which ideally should protect the passwords even if they were exposed. However, with enough time and computational power, bcrypt-hashed passwords can still be cracked.

Post-Breach Actions

Canva promptly notified its users about the breach and advised them to change their passwords. They also assured their users that their credit card and payment information was not accessed during the breach because it was properly encrypted. Taking measures to further secure user data, they enforced a mandatory password reset for all their users.

Lessons Learned

The Canva data breach serves as a stark reminder of the importance of adequate and robust security measures in protecting user data. It highlights the need for businesses to continuously update and patch their systems, regularly perform vulnerability assessments, and adopt encryption for all sensitive data.

Furthermore, the breach underscores the importance of transparency and swift response in the event of a data breach. Canva’s quick action to notify its users and enforce password changes helped mitigate the potential damage to its users.


As we continue to rely more on digital platforms for various aspects of our lives, ensuring data security should be a priority. Breaches like the one that hit Canva remind us that even the most reliable platforms are not immune to threats, making constant vigilance and proactive security measures invaluable.