
Canva security breach: hacker claims to have stolen the data of 139M users - open-source-ux
https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/
======
vijaybritto
How is a design website having 189M users? This is astonishing more than the
hack!

~~~
AznHisoka
My guess is it doesn’t. Anyone can make up a number if they don’t have to
prove it. Hootsuite doesnt even have that many.

~~~
jeromegv
You don't "need" hootsuite, you can login on twitter and facebook just fine to
craft your social media. Sure for professionals it helps to have your calendar
of content, but tons of people get away without it. Hootsuite also kind of
missed the transition to Instagram and they are left to do whatever is being
allowed by the API of the social media platforms. However, if you need any
kind of design work, you absolutely need a software to do it and Canva let you
do all of it, up until the final output. Potential for growth is definitely
bigger with Canva than Hootsuite.

~~~
AznHisoka
That is true. I'm the biggest Hootsuite hater.

------
open-source-ux
FAQ on the security breach on the Canva site:

[https://support.canva.com/contact/customer-
support/may-24-se...](https://support.canva.com/contact/customer-
support/may-24-security-incident-faqs/)

~~~
guitarbill
That's a pretty decent page. It doesn't seem so bad:

> Passwords in their encrypted form were also obtained (for technical people:
> all passwords were salted and hashed with bcrypt); this means that all Canva
> user passwords remain unreadable by external parties.

So while I hate the phrasing, this statement seems reasonable for once, if
lacking in details how they came to the conclusion:

> There have been no indications that any user designs have been accessed.

Yet again though, bad _practical_ password advice:

> Passwords should be changed frequently (at least every 90 days).

Why exactly? What does rotating passwords "at least every 90 days" buy me,
against what threat model? Much better advice would be not to reuse passwords
across sites, with links to password managers.

Oh, and from what I could see, they don't offer any kind of 2FA.

As a reminder, NIST 800-63 [0] has some decent guidelines, which they seem
roughly to be advocating with the rest of the password advice.

[0]
[https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret](https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret)

~~~
JeremyBanks
Their breach notification email was awful:
[https://twitter.com/skwashd/status/1132258055767281664](https://twitter.com/skwashd/status/1132258055767281664)

------
Phillipharryt
Am I the only one shocked that a website just within the top 200 sites in the
world has 139 million users? That's phenomenal (and potentially more if not
all user details were hacked)

------
willbw
It seems as though these breaches have limited effect on user behaviour.
Perhaps I'm just being cynical but if you are aren't getting access and you
are just getting hashed passwords, do people even care? Does it even matter?

Of course names and contact details are not great. I get that. But will this
even effect Canva?

------
mtgx
> Three days ago, the company announced it raised $70 million in a Series-D
> funding round, and is now valued at a whopping $2.5 billion.

Were the investors made aware of the hack? I also wonder for how long they've
known about it, but decided to keep it secret until they get new investment
money.

~~~
neya
Is there any way legally someone could trigger an investigation to validate if
they had actually known about this before taking money?

~~~
ga-vu
The article clearly states the hack took place that morning. So no, the owners
didn't know.

------
neya

        Does this mean my Facebook and/or Google login details have been compromised?
    
        If you use Facebook or Google to log into Canva, rest assured those credentials are also encrypted and unreadable by external parties, so you do not have to change your password on Facebook or Google.
    

I find this advice stupid, I know many hackers maintain and run through
databases of password+hashes they can fetch original passwords from the hash.
Also, Canva hasn't accepted nor denied if their salt was compromised, so
without confirming these, I think it's just stupid to falsely assure "Don't
change your passwords".

    
    
       Were my designs accessed?
    
        There have been no indications that any user designs have been accessed.
    

Translation: "We don't know"

I mean I'm just supposed to believe you at face value and not change my
passwords? You just lost my password..

~~~
guitarbill
> I know many hackers maintain and run through databases of password+hashes
> they can fetch original passwords from the hash.

Exactly the point of a salt, to make it so rainbow tables need to be computed
with a salt which ideally is different for every user. The salt being exposed
doesn't change that.

Edit: For Google/Facebook sign-in, which I presume is OAuth, it works
differently and they're correct in saying your Google or Facebook password is
not at risk.

So usually, I'd agree, but in this case it's fairly reasonable to say it's
unlikely anything was accessed. Cracking bcrypt takes time. If the hackers
wanted to target an individual, they'd just phish them.

Also, they literally say:

> As a precaution, we recommend changing your Canva password.

[https://support.canva.com/contact/customer-
support/may-24-se...](https://support.canva.com/contact/customer-
support/may-24-security-incident-faqs/)

