On the 24th of May 2019, the Australian design platform Canva an attack as it was happening. Unfortunately, they only managed to shut down the hacking attempt after 139 million Canva accounts had been breached.
One peculiarity is that the malicious attacker/s stepped forward to claim responsibility for the data breach. Known as “gnosticplayers” the attacker(s) , a news site for IT professionals, a matter of hours after the attack was intercepted.
It’s not unusual for hackers to brag about attacks on the dark web, but it is strange for them to announce an attack so openly to the media. So what’s the deal?
First, a little more about the attack. Here are the facts as we know them.
The hackers stole details, including usernames, real names, email addresses, and location. In the case of 61 million users, encrypted password data was also stolen. Fortunately, the algorithm Canva used to encrypt the passwords is pretty strong. While hackers worked to decrypt the passwords, Canva jumped straight to to change their passwords.
While Canva’s actions no doubt saved millions of their users from account takeovers, millions more were at risk.
In an update at the , Canva announced that hackers had decrypted the passwords of 4 million of its accounts and shared the information online. In response, Canva forcibly changed any remaining passwords implicated in the data breach.
Now, onto that curious admission by gnosticplayers. Why reveal the attack? Surely bringing the breach to public attention will make it more likely that Canva users will change their passwords. The answer is likely to do with money. No surprises there.
They also knew that they had to act fast. Canva was already in the process of notifying users, so getting the information out there and selling it as quickly as possible was their best option.