Canva 2019 Data Breach

Canva Graphic Design Platform Breach (2019): 137 Million User Accounts Including Encrypted Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationDesignSaasEmail AddressFull NameGeographic LocationPasswordUsername
Low SeverityWebsite / service breach

Canva Graphic Design Platform Breach (2019): 137 Million User Accounts Including Encrypted Passwords Exposed

Online design and publishing platform.

Verified by ObscureIQ Intelligence
34/100Breach Risk Index
10Data Value
25Market Recency
512dSince Breach

Breach Intelligence Summary

Entity: Canva · Actor: Unknown · Sources: 7 references
Attack: Misconfiguration
Profile: Platform · Graphic design and content creation · SaaS design platform · Global
Timeline: Breach (2019-05-24) · Indexed (Dec 01, 2024) · Year (2019)
Exposure: 137.5M records · 5 fields: Email Address, Full Name, Geographic Location, Password, Username
Status: Confirmed

Executive Summary

Canva, the Australian graphic design platform used by hundreds of millions of people worldwide, suffered a data breach in May 2019 when the hacker group GnosticPlayers, responsible for stealing data from dozens of companies totaling nearly a billion records, successfully accessed Canva's systems. Canva detected the intrusion while it was still underway and shut down the compromised server, limiting exposure to data created before May 17, 2019. Approximately 137 to 139 million user accounts were affected. The exposed data included email addresses, usernames, full names, and geographic locations. Around 61 million accounts also had password hashes stolen. Canva stored these passwords using bcrypt, a hashing method that is significantly harder to crack than older formats, but by January 2020 the attacker had cracked roughly 4 million of those hashes. Google OAuth tokens, used by people who logged into Canva via their Google account, were also exposed. No payment information was compromised. The practical risks include targeted phishing attacks, credential stuffing against other services where users reused the same password, and potential brand impersonation using personal details gleaned from the breach. Canva notified affected users the same day the breach was discovered and prompted password resets. In January 2020, after learning that 4 million hashed passwords had been cracked, Canva forced a password reset for all accounts that had not already updated their credentials. No regulatory enforcement action or legal settlement specific to this breach has been publicly documented. People affected by this breach should ensure they are not reusing the exposed password on any other service and should remain alert to phishing emails that may reference their Canva account.

ObscureIQ assessment: Credential reuse risk and potential exposure of business or personal project data. Can enable phishing or brand impersonation attacks.

Breach Impact

On May 24, 2019, the hacker GnosticPlayers — responsible for breaching data from dozens of companies totaling nearly a billion user records — contacted ZDNet to announce they had breached Canva hours earlier. Canva detected the intrusion and shut down the compromised database server while the attack was still in progress, limiting the exfiltration window to data created before May 17. The breach affected approximately 139 million subscribers, exposing email addresses, usernames, names, geographic locations, and bcrypt-hashed passwords for roughly 61 million accounts, along with Google OAuth tokens for users who authenticated via Google. Canva notified users the same day and prompted password resets. In January 2020 Canva disclosed that approximately 4 million of the stolen bcrypt hashes had been cracked by the attacker, triggering a forced reset of all accounts that had not already changed their passwords. No payment information was compromised. No settlement or regulatory enforcement action specific to this breach has been prominently documented.

About Canva

Canva is an Australian online graphic design and publishing platform that allows individuals and businesses to create visual content including presentations, social media graphics, posters, and documents using a drag-and-drop interface. Founded in 2013 and headquartered in Sydney, the company has grown into one of the most widely used design tools globally, serving hundreds of millions of users across free and paid subscription tiers. Canva is privately held and has been valued at over $25 billion.

Why They Hold Your Data

Design platforms collect user accounts, emails, passwords, and created content, often tied to business or personal projects.

Recent Developments

Canva has continued its rapid global expansion and has invested heavily in AI-powered design features, including generative image tools and automated design suggestions. The company has pursued enterprise market growth alongside its consumer and small business base. It has made several acquisitions to expand its capabilities including presentation and document creation tools.

Data Points Exposed

5 verified field types
Email Address
Full Name High
Geographic Location
Password Critical
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance
  • Credential stuffing & account takeover
  • Offline decryption attack
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Canva breach?

Canva, the Australian graphic design platform used by hundreds of millions of people worldwide, suffered a data breach in May 2019 when the hacker group GnosticPlayers, responsible for stealing data from dozens of companies totaling nearly a billion records, successfully accessed Canva's systems.…

What data was exposed?

Verified fields include Email Address, Full Name, Geographic Location, Password, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Hashmob
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation