Infamous hacker GnosticPlayers struck again this morning, stealing data for roughly 139 million users from Canva – one of the biggest names in Australia’s tech market. The hacker – or group of hackers – has tipped off ZDNet and sent samples of the data stolen.
Since February this year, GnosticPlayers stole data from a total of over one billion users from 45 different companies all over the world, to sell it on the dark web.
GnosticPlayers – that remains unidentified – contacted ZDNet about his latest hack on Australian tech start-up Canva, breached earlier during the morning.
“I download everything up to May 17,” GnosticPlayers said. “They detected my breach and closed their database server.” Stolen data includes usernames, real names, and geographical information where available.
Data for 139 million users were also present in the database.
In other cases, the stolen information included Google tokens, which can be used to sign up without having to set a password.
A total of 78 million of the stolen Canva accounts were associated with Gmail addresses.
ZDNet asked for a sample of the data to the hacker. It received an extract containing 18,816 accounts, including details from some of the website’s staff.
ZDNet then used the data to get in touch with Canva users, who confirmed the validity of the information, and with the website’s administrators to tell them of the breach and ask for an official statement.
A spokesperson from Canva replied via email.
“Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses. We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution,” Canva said.
“We will continue to communicate with our community as we learn more about the situation.”
Canva was founded in 2012 and quickly grew to be one of Australia’s most successful tech companies. It is a favorite among private users and businesses that use it for quick design works.
In previous interviews, GnosticPlayers told ZDNet that he was aiming at stealing one billion user credentials. With today’s breach, he reached and exceeded his goal with a total of 1.071 billion credentials stolen from 45 companies.