That's a pretty decent page. It doesn't seem so bad:
> Passwords in their encrypted form were also obtained (for technical people: all passwords were salted and hashed with bcrypt); this means that all Canva user passwords remain unreadable by external parties.
So while I hate the phrasing, this statement seems reasonable for once, if lacking in details how they came to the conclusion:
> There have been no indications that any user designs have been accessed.
Yet again though, bad practical password advice:
> Passwords should be changed frequently (at least every 90 days).
Why exactly? What does rotating passwords "at least every 90 days" buy me, against what threat model? Much better advice would be not to reuse passwords across sites, with links to password managers.
Oh, and from what I could see, they don't offer any kind of 2FA.
As a reminder, NIST 800-63 [0] has some decent guidelines, which they seem roughly to be advocating with the rest of the password advice.
rotating your password protects you against sites that store passwords poorly. you can’t know what any site’s actual practices are. even when stated, the implementation may differ and be much weaker.
Am I the only one shocked that a website just within the top 200 sites in the world has 139 million users? That's phenomenal (and potentially more if not all user details were hacked)
Because it made it easy to create inspirational posters and social media posts/avatars/covers. Its simplicity of creating a "good enough" design is what got non-designers registered, myself included.
You can sign up with facebook + there is a free 30 days trial.
I wouldn't be surprised if a lot of people just signed up to check it out and if a lot of other users registered multiple times with different emails to have access to the free trial.
Hmm there is an entirely free version and has quite a lot of features, it's more than a trial. This is popular not just because of people re-creating accounts on different emails.
https://about.canva.com/pricing/
It's also a common tool for non-designers who maintain their own websites. I heard about Canva through my girlfriend who used it on her Android phone to build banners, buttons, and other graphics for her Wordpress site.
Well it also depends on what is considered a 'user'. For example let's say you had 'only' 50,000 users. So you then pack the database with hundreds of millions of fake users. The purpose of the fake users is simply to lessen the probability that the real users get their data used in some way. Further to the point if the number of fake users is high enough it makes it more difficult to sell the data because nobody knows what data is fake and what is not (sure you could cross ref it with other data but that would take some effort).
And even moreover a news story saying that 25,000 users data was stolen is not a big deal. A news story saying that 1 billion users data was stolen is a big deal. And then brings up the obvious question of whether the stolen data is really real in some way.
You don't "need" hootsuite, you can login on twitter and facebook just fine to craft your social media. Sure for professionals it helps to have your calendar of content, but tons of people get away without it. Hootsuite also kind of missed the transition to Instagram and they are left to do whatever is being allowed by the API of the social media platforms.
However, if you need any kind of design work, you absolutely need a software to do it and Canva let you do all of it, up until the final output.
Potential for growth is definitely bigger with Canva than Hootsuite.
Canva is ranked at 170 on Alexa [1]. Hootsuite is ranked at more than 1100 [2].
So we'd expect Canva to have a lot more users than Hootsuite.
Also, they've raised over $80M in multiple rounds from top VCs including Sequoia [3], which would be hard to do if they were bullshitting about their numbers.
Canva is used by anyone doing any kind of marketing or design work. It's easy to use, doesn't require any app on your laptop, will save your design in the cloud, and the free version is quite decent. I'm sure there's a fair amount of unused accounts but Canva is quite HUGE (i work in ecommerce/marketing/social media)
Was likely one of their earlier users, been on the platform for more years than I can remember. It's simple to use and covers all the basics for digital marketers who don't have time to wait for internal design resources to free up. Business cards, CPC ads, banners, etc. I just finished designing a 15-page downloadable PDF in it. Oh, and I only just upgraded to a pay account; been using it free for many many years.
So the idea is a library of templates/icons/clip art combined with a web UI to edit the text and objects? With some sharing/collaboration features built in.
Sounds like a good idea. Templates have pretty much taken over web design, it makes sense that it will take over other run-of-the-mill categories of design (where hiring a custom designer doesn't make sense).
I use it for my side project's album covers. I can upload images, overlay text, add basic shape layers. It's no photoshop / sketch but it does the basics well enough which is why I use it, and being online I don't have to be near my studio if I want to finish up publishing a track.
Definitely a great service, it doesn't surprise me it has so many users.
> Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion.
Were the investors made aware of the hack? I also wonder for how long they've known about it, but decided to keep it secret until they get new investment money.
Does this mean my Facebook and/or Google login details have been compromised?
If you use Facebook or Google to log into Canva, rest assured those credentials are also encrypted and unreadable by external parties, so you do not have to change your password on Facebook or Google.
I find this advice stupid, I know many hackers maintain and run through databases of password+hashes they can fetch original passwords from the hash. Also, Canva hasn't accepted nor denied if their salt was compromised, so without confirming these, I think it's just stupid to falsely assure "Don't change your passwords".
Were my designs accessed?
There have been no indications that any user designs have been accessed.
Translation: "We don't know"
I mean I'm just supposed to believe you at face value and not change my passwords? You just lost my password..
> I know many hackers maintain and run through databases of password+hashes they can fetch original passwords from the hash.
Exactly the point of a salt, to make it so rainbow tables need to be computed with a salt which ideally is different for every user. The salt being exposed doesn't change that.
Edit: For Google/Facebook sign-in, which I presume is OAuth, it works differently and they're correct in saying your Google or Facebook password is not at risk.
So usually, I'd agree, but in this case it's fairly reasonable to say it's unlikely anything was accessed. Cracking bcrypt takes time. If the hackers wanted to target an individual, they'd just phish them.
Also, they literally say:
> As a precaution, we recommend changing your Canva password.
If you login with Facebook or Google then you log in using the OAuth2 protocol and the only thing Canva gets is a token signed by Facebook/Google saying you are who you say you are.
There are benefits & drawbacks; it does greatly improve security, but Google & Facebook get data on what services you use. It would be nice to have a privacy-focused nonprofit identity provider, but it's very hard to build up that network - both in users, who won't sign up unless sites accept it, and in sites, who won't accept it until there are users.
Microsoft (disclaimer: I work there, but not on this product) is trying to get a decentralized identity thing off the ground[0]. It uses the blockchain, so I was pretty skeptical at first but it's actually pretty well-though-out (including the "unhappy path" where users are unable to identify themselves after losing a key or whatever).
> Also, Canva hasn't accepted nor denied if their salt was compromised
AFAIK, it's assumed that the salt is compromised with the hash - it's stored alongside the hash. The point of the salt is to prevent lookups.
Telling you to change your Facebook/google password _is_ pointless, as they don't have those.
> Translation: "We don't know"
I'm not sure what else they are supposed to say - saying they have could cause unnecessary panic and is probably misleading, but they can't conclusively say no as the evidence may have been hidden.
It seems as though these breaches have limited effect on user behaviour. Perhaps I'm just being cynical but if you are aren't getting access and you are just getting hashed passwords, do people even care? Does it even matter?
Of course names and contact details are not great. I get that. But will this even effect Canva?
38 comments
[ 3.3 ms ] story [ 102 ms ] threadhttps://support.canva.com/contact/customer-support/may-24-se...
> Passwords in their encrypted form were also obtained (for technical people: all passwords were salted and hashed with bcrypt); this means that all Canva user passwords remain unreadable by external parties.
So while I hate the phrasing, this statement seems reasonable for once, if lacking in details how they came to the conclusion:
> There have been no indications that any user designs have been accessed.
Yet again though, bad practical password advice:
> Passwords should be changed frequently (at least every 90 days).
Why exactly? What does rotating passwords "at least every 90 days" buy me, against what threat model? Much better advice would be not to reuse passwords across sites, with links to password managers.
Oh, and from what I could see, they don't offer any kind of 2FA.
As a reminder, NIST 800-63 [0] has some decent guidelines, which they seem roughly to be advocating with the rest of the password advice.
[0] https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
https://en.wikipedia.org/wiki/The_Print_Shop
I wouldn't be surprised if a lot of people just signed up to check it out and if a lot of other users registered multiple times with different emails to have access to the free trial.
Facebook says ~17 million fake account creation attempts per day[1] (that they catch after the fact), so it doesn't seem that unusual.
[1] https://news.ycombinator.com/item?id=20000235 (3B/6 months == ~17M/day)
And even moreover a news story saying that 25,000 users data was stolen is not a big deal. A news story saying that 1 billion users data was stolen is a big deal. And then brings up the obvious question of whether the stolen data is really real in some way.
So we'd expect Canva to have a lot more users than Hootsuite.
Also, they've raised over $80M in multiple rounds from top VCs including Sequoia [3], which would be hard to do if they were bullshitting about their numbers.
[1] https://www.alexa.com/siteinfo/canva.com?ver=classic
[2] https://www.alexa.com/siteinfo/hootsuite.com?ver=classic
[3] https://www.smartcompany.com.au/startupsmart/news/canva-50-9...
Sounds like a good idea. Templates have pretty much taken over web design, it makes sense that it will take over other run-of-the-mill categories of design (where hiring a custom designer doesn't make sense).
Definitely a great service, it doesn't surprise me it has so many users.
Were the investors made aware of the hack? I also wonder for how long they've known about it, but decided to keep it secret until they get new investment money.
I mean I'm just supposed to believe you at face value and not change my passwords? You just lost my password..
Exactly the point of a salt, to make it so rainbow tables need to be computed with a salt which ideally is different for every user. The salt being exposed doesn't change that.
Edit: For Google/Facebook sign-in, which I presume is OAuth, it works differently and they're correct in saying your Google or Facebook password is not at risk.
So usually, I'd agree, but in this case it's fairly reasonable to say it's unlikely anything was accessed. Cracking bcrypt takes time. If the hackers wanted to target an individual, they'd just phish them.
Also, they literally say:
> As a precaution, we recommend changing your Canva password.
https://support.canva.com/contact/customer-support/may-24-se...
Microsoft (disclaimer: I work there, but not on this product) is trying to get a decentralized identity thing off the ground[0]. It uses the blockchain, so I was pretty skeptical at first but it's actually pretty well-though-out (including the "unhappy path" where users are unable to identify themselves after losing a key or whatever).
[0] https://www.microsoft.com/ownyouridentity
AFAIK, it's assumed that the salt is compromised with the hash - it's stored alongside the hash. The point of the salt is to prevent lookups.
Telling you to change your Facebook/google password _is_ pointless, as they don't have those.
> Translation: "We don't know"
I'm not sure what else they are supposed to say - saying they have could cause unnecessary panic and is probably misleading, but they can't conclusively say no as the evidence may have been hidden.
Of course names and contact details are not great. I get that. But will this even effect Canva?