139 Million Users Hit in Canva Data Breach
Australian web-design service appears to have had data pertaining to 139 million users stolen by a malicious hacker.
Australian web-design online service Canva seems to have been hit by a malicious hacker who claims to have made off with data pertaining to 139 million users.
The pilfered personal information includes real names, usernames, email addresses and city and country information. On the bright side, email passwords were salted and hashed using the Bcrypt algorithm, which is dang near impossible to reverse, and dates of birth and street addresses do not seem to have been part of the compromised data.
If you've ever signed up for Canva, you should probably change your Canva account password. If you've ever used that same password elsewhere, definitely change it on those other services.
However, Canva also lets you use its services by signing in with your Google or Facebook accounts, and there is no evidence that those accounts are in any danger from this breach.
MORE: Best Password Managers
ZDNet's Catalin Cimpanu was contacted earlier today (May 24) by the hacker, who uses the pseudonym GnosticPlayers and who in the past several months has claimed to have stolen data pertaining to nearly 1 billion users from dozens of websites.
Cimpanu contacted Canva, and a spokesperson admitted that the company had been "made aware of a security breach which enabled access to a number of usernames and email addresses."
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
"We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised," the company reportedly said. "As a safeguard, we are encouraging our community to change their passwords as a precaution."
Bcrypt is a strong and slow password-hashing algorithm that was designed to be difficult and time-consuming for a "cracker" to reverse. (Hashing is one-way encryption for items that are not meant to be decrypted.) Each password was "salted" with additional random data to make hash-cracking even more difficult.
Best Identity Protection Services
Best Overall
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Best Tools
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.