In May 2019, Canva — the popular Australian graphic design platform — suffered a massive data breach affecting 137 million users worldwide. Despite being an Australian company, many Australians don’t realise their Canva data may still be circulating online.
What Was Exposed?
- Email addresses
- Usernames and real names
- Home cities (where provided)
- Passwords — stored as bcrypt hashes (relatively secure, but still at risk)
- For Google/Facebook login users: partial OAuth tokens
The breach was carried out by a hacker known as GnosticPlayers, who at the time was on a spree of major platform breaches. The stolen data was later published and has been widely distributed.
How to Check if You Were Affected
Check your email address for free → — if your Canva account email appears, you’ll see it listed in your results.
What Should You Do?
- Change your Canva password if you haven’t since 2019
- Change any other accounts where you used the same password — this is the real risk
- Enable 2FA on Canva — go to Account Settings → Login & Security
- Check for credential stuffing: if your email + old Canva password combo is floating around, attackers will try it on Netflix, PayPal, email providers, and banking apps
Why Canva Passwords Are Still Dangerous in 2024
Even though Canva used bcrypt (a strong hashing algorithm), the 5 years since the breach have given attackers time to crack weaker passwords. Any password shorter than 12 characters or based on dictionary words is likely cracked by now.
Password reuse is the biggest risk. Studies consistently show that 50-60% of people reuse passwords across multiple sites. If you used the same password on Canva as anywhere else, those accounts are at risk.
Canva’s Response
Canva notified affected users and prompted password resets shortly after discovering the breach. The company stated that financial data was not accessed (Canva processes payments through third-party providers). The Australian Cyber Security Centre (ACSC) was informed.
The Broader Lesson
The Canva breach is a good example of why checking your email against breach databases regularly matters. You might have forgotten you even had a Canva account — but that 2015 email+password combo could still be unlocking doors.