Canva, a Sydney-based startup that's behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned.
Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet.
Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.
Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning.
"I download everything up to May 17," the hacker said. "They detected my breach and closed their database server."
Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available.
For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around.
For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password.
Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.
ZDNet requested a sample of the hacked data, so we could verify the hacker's claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site's staff and admins.
We used this information to contact Canva users, who verified the validity of the data we received. We also contacted the site's administrators, informing them of the breach and requesting an official statement.
"Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses," a Canva spokesperson told ZDNet via email.
"We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution," the company said.
"We will continue to communicate with our community as we learn more about the situation."
Canva is one of Australia's biggest tech companies. Founded in 2012, the Canva website has become a favorite among regular users and large companies who often use it to build quick websites, design logos, or put together eye-catching marketing materials.
Since its launch, the site has shot up the Alexa website traffic rank, and has recently entered the Top 200, currently ranked at #170.
Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world's biggest free stock content sites -- Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker.
With today's hack, GnosticPlayers has now stolen over one billion user credentials, a goal the hacker told ZDNet in previous interviews he was aiming for. If anyone's still keeping count, that's 1,071 billion credentials from 45 companies.
Previous coverage of GnosticPlayers' hacks:
- Round 1 + Round 2 [620 million + 127 million user records]
- Round 3 [93 million user records]
- Round 4 [26.5 million user records]
- Round 5 [65.5 million user records]