Published on the 29/05/2019 | Written by Jonathan Cotton
It was all going so well…
Last week Canva made a blink-and-you’ll-miss-it announcement….that 139 million user accounts had been compromised.
And things had been going so well for the company.
The Australian-based design platform had just completed a unicorn-making funding round which saw the company raise another AU$101 million, taking its valuation to a whopping AU$3.6 billion. (There’s muscle behind that investment too. Mary Meeker, author of the annual Internet Trends Report, and brains behind new US$1.25 billion growth fund Bond is one of the principle investors).
“The Canva team are building their platform around three trends – content, community and commerce – that we’ve been observing in some of the world’s fastest growing companies,” says Meeker, who is also an investor in both Slack and Airbnb.
If Canva thinks it’s appropriate to bury security notifications in public relations puffery, they should think again.
“With its global user base of more than 15 million monthly active users, Canva is a clear leader providing a platform that empowers users to create compelling, data-rich visuals and gain design fluency through collaboration and feedback.”
The company was riding high on the investment – plus the addition of new services (stock image providers Pexels and Pixabay which it recently acquired) and a premium image subscription service.
But then came Saturday’s announcement that a huge security breach had occurred, including the theft of encrypted passwords (salted and hashed with bcrypt), real names, email addresses, user names and location information. Users who access Canva with Facebook or Google are unaffected by the breach.
The hacker – using the name GnosticPlayers – has since been in contact with media, saying “everything up to May 17” was accessed before Canva detected the breach and closed the database server.
GnosticPlayers is a known hacker – or perhaps hackers – infamous for stealing data from corporates and selling it on the dark web. Since February the hacker has released four data sets of stolen personal information, totalling more than a billion exposed accounts, stolen from 45 companies.
But here’s the twist: Canva let its users know – kind of – that a breach had occurred, burying the bad news in a PR email sent to Canva members.
“At Canva, we spend a lot of time and energy working to empower our community to create great designs,” the email from Saturday reads.
“The last week has been a big one for us. We’ve announced the acquisitions of free photography sites Pexels and Pixabay to give our community an additional one million free images to use in Canva, introduced a beautiful new browse experience for all of our photos and rolled out Canva Print for T-shirts in the US.
“Unfortunately, we have today become aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).
“We’re aware that a number of our community’s usernames and email addresses have been accessed. The hackers also obtained passwords in their encrypted form (for technical people, all passwords were salted and hashed with bcrypt). This means that our users’ passwords remain unreadable by external parties.
“As a precaution, we recommend changing your Canva password. If you use the same email and password on other sites you should change the passwords on those sites too.
The company says they are now working with a forensics team and the FBI.
“We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again.”
That’s all well and good, but if the Canva powers that be think it’s appropriate to bury security notifications in public relations puffery, they should think again. (Think again they did, resending the email later in the day, sans marketing garbage.)
Security breaches always suck, but they also represent an opportunity for tech businesses to demonstrate their commitment to open, transparent behaviour in regards to user privacy issues – warts and all.
In this respect, Canva needs to radically rethink how it will handle these issues in the future.