Hacker Brags About Data Breach: Canva (2019)

On the 24th of May 2019, the Australian design platform Canva intercepted an attack as it was happening. Unfortunately, they only managed to shut down the hacking attempt after 139 million Canva accounts had been breached.

One peculiarity is that the malicious attacker/s stepped forward to claim responsibility for the data breach. Known as “gnosticplayers” the attacker(s) alerted ZDNet, a news site for IT professionals, a matter of hours after the attack was intercepted.

It’s not unusual for hackers to brag about attacks on the dark web, but it is strange for them to announce an attack so openly to the media. So what’s the deal?

First, a little more about the attack. Here are the facts as we know them.

The hackers stole details, including usernames, real names, email addresses, and location. In the case of 61 million users, encrypted password data was also stolen. Fortunately, the algorithm Canva used to encrypt the passwords is pretty strong. While hackers worked to decrypt the passwords, Canva jumped straight to notifying users, prompting them to change their passwords.

While Canva’s actions no doubt saved millions of their users from account takeovers, millions more were at risk.

In an update at the beginning of this year, Canva announced that hackers had decrypted the passwords of 4 million of its accounts and shared the information online. In response, Canva forcibly changed any remaining passwords implicated in the data breach.

Now, onto that curious admission by gnosticplayers. Why reveal the attack? Surely bringing the breach to public attention will make it more likely that Canva users will change their passwords. The answer is likely to do with money. No surprises there.

A few days before the attack, a popular dark web marketplace called Dream announced it would be closing the following month. This meant that cyber criminals such as gnosticplayers, who were using Dream, needed a new marketing platform.

They also knew that they had to act fast. Canva was already in the process of notifying users, so getting the information out there and selling it as quickly as possible was their best option.

Of course, another reason for this brag could simply be the thrill of notoriety. ZDNet revealed that this was not their first interaction with gnosticplayers. Well, if they aimed to achieve infamy, they’ve succeeded.