GnosticPlayers, the hacker/hacker group behind exposing over 932 million user data records online, and selling many of them for Bitcoin, has now stolen the data of 139 million Canva users.
Canva, a Sydney-based graphic-design tool website, founded in 2012, was hacked late last week, reports ZDNet.
Responsible for the breach is a hacker(s) going online as GnosticPlayers. This latest hack means GnosticPlayers has now stolen over one billion user credentials – 1,071 billion credentials from 45 companies.
Since February this year, he/she/they has posted for sale on the dark web the data of more than 932 million users, stolen from 44 companies around the world.
Canva’s stolen data included Google tokens, which users had used to sign up for the site without setting a password, customer usernames, real names, email info, and city & country information. Password hashes were also stored in the database and hashed with the bcrypt algorithm, presently considered one of the most secure password-hashing algorithms.
GnosticPlayers told ZDNet: “I download everything up to May 17. They detected my breach and closed their database server.”
A Canva spokesperson told ZDNet via email. “Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses.
“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution,” the company said.
“We will continue to communicate with our community as we learn more about the situation.”