Canva Data Breach
Canva Graphic Design Platform Breach (2019): 137 Million User Accounts Including Encrypted Passwords Exposed
Online design and publishing platform.
Risk Interpretation
Credential reuse risk and potential exposure of business or personal project data. Can enable phishing or brand impersonation attacks.
Impact & Downstream Threats
On May 24, 2019, the hacker GnosticPlayers — responsible for breaching data from dozens of companies totaling nearly a billion user records — contacted ZDNet to announce they had breached Canva hours earlier. Canva detected the intrusion and shut down the compromised database server while the attack was still in progress, limiting the exfiltration window to data created before May 17. The breach affected approximately 139 million subscribers, exposing email addresses, usernames, names, geographi
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
Canva, the Australian graphic design platform used by hundreds of millions of people worldwide, suffered a data breach in May 2019 when the hacker group GnosticPlayers, responsible for stealing data from dozens of companies totaling nearly a billion records, successfully accessed Canva's systems. Canva detected the intrusion while it was still underway and shut down the compromised server, limiting exposure to data created before May 17, 2019. Approximately 137 to 139 million user accounts were affected. The exposed data included email addresses, usernames, full names, and geographic locations. Around 61 million accounts also had password hashes stolen. Canva stored these passwords using bcrypt, a hashing method that is significantly harder to crack than older formats, but by January 2020 the attacker had cracked roughly 4 million of those hashes. Google OAuth tokens, used by people who logged into Canva via their Google account, were also exposed. No payment information was compromised. The practical risks include targeted phishing attacks, credential stuffing against other services where users reused the same password, and potential brand impersonation using personal details gleaned from the breach. Canva notified affected users the same day the breach was discovered and prompted password resets. In January 2020, after learning that 4 million hashed passwords had been cracked, Canva forced a password reset for all accounts that had not already updated their credentials. No regulatory enforcement action or legal settlement specific to this breach has been publicly documented. People affected by this breach should ensure they are not reusing the exposed password on any other service and should remain alert to phishing emails that may reference their Canva account.
About Canva
Canva is an Australian online graphic design and publishing platform that allows individuals and businesses to create visual content including presentations, social media graphics, posters, and documents using a drag-and-drop interface. Founded in 2013 and headquartered in Sydney, the company has grown into one of the most widely used design tools globally, serving hundreds of millions of users across free and paid subscription tiers. Canva is privately held and has been valued at over $25 billion.
Why They Hold Your Data
Design platforms collect user accounts, emails, passwords, and created content, often tied to business or personal projects.
Recent Developments
Canva has continued its rapid global expansion and has invested heavily in AI-powered design features, including generative image tools and automated design suggestions. The company has pursued enterprise market growth alongside its consumer and small business base. It has made several acquisitions to expand its capabilities including presentation and document creation tools.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, full_name, geographic_locations, password, password:encrypted, username
Dark Web Verification
- Dataset containing ~137.5M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: canva.com-2019;Canva Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Canva
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam