What happened
According to public breach records, the Canva data breach on May 24, 2019 is reported to have exposed the personal information of 137,272,116 accounts.
In May 2019, the graphic design tool website Canva suffered a data breach that impacted 137 million subscribers. The exposed data included email addresses, usernames, names, cities of residence and passwords stored as bcrypt hashes for users not using social logins.
Passwords in this breach were reportedly stored as bcrypt hashes.
On 24 May 2019 a hacker using the alias "GnosticPlayers" contacted ZDNet to claim responsibility for breaching the Australian design platform Canva; Canva detected and stopped the intrusion while it was in progress, but data tied to roughly 137 million accounts had already been exposed. The exposed records included email addresses, usernames, real names, cities of residence and passwords stored as bcrypt hashes for users who did not sign in via a social login. In January 2020 Canva disclosed that the attacker had managed to crack the credentials of around 4 million accounts whose passwords had not yet been changed, prompting a forced password reset for those users.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Geographic locations
- Names
- Passwords
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | Canva |
| Date | May 24, 2019 |
| Accounts affected | 137,272,116 |
| Domain | canva.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Canva; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Canva password immediately, and change it anywhere else you reused the same or a similar password — bcrypt hashing slowed but did not prevent some passwords from being cracked.
- Enable two-factor authentication on your Canva account and on any account that shared the breached password.
- Treat unexpected emails referencing Canva or password resets with caution — exposed email addresses and names are commonly used for targeted phishing.
- Use unique passwords per site (ideally via a password manager) so a single exposed credential cannot unlock your other accounts through credential stuffing.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: Canva Data Breach
- Gnosticplayers: Why the hacker behind the Canva data breach boasted to the media (Verdict)
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →