Loading finished

Skip to main content

Canva home

Help Center

Canva Security Incident – May 24 FAQs

Incident Status Update

——

Page Updated January 17, 10:21 AEST

On the 11th of January 2020, Canva became aware of a list of approximately 4 million Canva accounts containing user passwords stolen as part of the May 24 breach (see notes below, dated June 1, 10:13 AEST). The passwords had been decrypted and recently shared online.

As unchanged passwords might be used to access Canva accounts, we responded immediately to restrict access to Canva logins, and commenced work to both invalidate unchanged passwords, and notify users with unencrypted passwords in the list.

What we know

It has been 7 months since malicious individuals gained access to our encrypted password data and made that information available on the internet. In that time it appears that they have been using their resources to try and crack those passwords. Approximately 4 million Canva accounts affected by the May 2019 incident have now had their passwords decrypted.

What is Canva doing about it?

Over the past 7 months, we have sent out a variety of communications informing our affected users how they can secure their accounts. If you have proactively changed your Canva password in that period then you will not need to change it again.

On 2020-01-12, we reset the passwords of all users who had not changed their password following 2019-05-24. These users will be required to change their password when they next log in to Canva. Because we are forcibly resetting passwords, we are also directly notifying recently active Canva users whose passwords have been reset.

We are also notifying those Canva users whose passwords appear to have been decrypted so that they can take steps to protect other accounts where the same password has been used.

What this means for our affected users

Affected users will be required to set a new password to continue using Canva. Please note that if your password has been reset, it does not mean that your account has been accessed by attackers. We are taking this precaution to protect your Canva account.

Follow our password guidelines here. Once again, we suggest you:

  • Create hard to guess passwords with a combination of letters (upper and lower case, numbers and special characters).
  • Use a password manager to manage all your Internet passwords.
  • Make sure you use a safe and secure password that has not been used on other sites or accounts before.

Users with a valid recovery address will be able to recover passwords using the regular password reset procedure. Users without valid email addresses will need to use the manual recovery procedure.

We apologize for any inconvenience caused, and thank you for your continued support and cooperation.

Sebastian Welsh (Head of Security, Canva)

——

Page Updated August 10, 23:25 AEST

Some of our users have recently been notified by haveibeenpwned.com (HIBP) and Firefox Monitor of a security breach that occurred on the 24th May 2019. You can read more about the attack, how we responded, and what we did (see notes below, dated June 1, 10:13 AEST).

The content of these notifications are accurate, and we’re grateful to HIBP and Firefox Monitor for the service they provide to the community.

For some people with Canva accounts it appears that this security notification has come as a surprise. This is regrettable. As part of our incident response, one of the first things we did was to try to contact affected users via email and through in-app alerts.

The HIBP notification has led some users to ask if their passwords were compromised. The simple answer is no. What was accessed was individually salted and bcrypt-hashed passwords. For non-technical users, this is like a super-secure one-way door that converts your password into something that is incredibly hard to convert back into the original password, even with the strongest computers.

The way we store passwords makes password guessing incredibly difficult but it’s not impossible, and it’s easier if you have easy-to-guess passwords, such as password1, 123456! or Alex1997. So to protect our users on Canva, and elsewhere, we’ve requested all our users to change their passwords on Canva, and anywhere else they’ve used the same password. To help all our users avoid this risk, we’ve partnered with 1Password to offer one year of free access to their password manager service, as well as implemented stronger password checks within Canva.

Since the incident, we’ve introduced a number of internal changes to protect your data. Working closely with leading cyber security consultancy, Mandiant and other partners, we’ve identified the extent of the attack and the causes of it, and made changes to our systems to build an additional layer of protection for our users. We’ll be providing a postmortem of the incident in due course, but in the meantime if you have any further questions, or would like to learn more about the measures we’ve taken to ensure your data is secure on Canva, please feel free to reach out to us.

——

June 1, 10:13 AEST

Following an investigation with cyber security experts, we now have a better understanding of the impact of the attack and want to provide as much context as we can to our community.

On Friday 24th May 2019, we detected a malicious attack on our systems, which we stopped as it was occurring. Our first response was to lock down Canva, then notify authorities and users that the breach had occurred. Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response.

Since then we have worked with cyber security experts and authorities, such as the FBI, to help protect our users, and are communicating the latest information below.

What did the attacker do?

  • They accessed information from our profile database for up to 139 million users. The profile database contains usernames, names, email addresses, country, and optionally, user-supplied data about their city and/or homepage URL which was available through their public profile.
  • They accessed cryptographically protected passwords (these were individually salted and hashed with bcrypt) for any of those users with username/password logins.
  • They claimed to have obtained OAuth login tokens for users who signed in via Google. Our OAuth tokens are encrypted with AES128 and the encryption keys are securely stored elsewhere. We have found no evidence they downloaded the OAuth tokens or tried to access the keys.
  • They briefly viewed files with partial credit card and payment data. We found no evidence these files were stolen. Files contained partial credit card data from before September 28, 2016 (name, expiry date, last 4 digits, card brand and card country), and payment histories from before September 16, 2017 that contained transaction dollar amounts, dates, and IDs for some payments for users and contributors. These limited card details cannot be used for payments. Canva never stores full credit card details.

Designs and images are securely stored in separate systems. There has been no indication that any user designs or images have been accessed.

What is Canva doing about it?

We continue to invest heavily in security. We intend to publish a technical post mortem of the incident once our investigations are complete. Our first priority, though, is to protect our users. Here’s what we’re doing:

  • Notifying our users: We want our users to know that they’ve been affected. We’ve directly contacted users via email, but some users have out-of-date or incorrect email details so we have also used in-app notifications and the press to alert users to the breach. We are following up on our initial notification with individual emails to each user outlining what data was accessed.
  • Prompting users to change passwords: We’ve asked all users who had passwords set before the attack to change them, and are adding rules to help users set stronger ones.
  • Resetting OAuth tokens: We’ve worked with our partners to make sure all active login tokens that existed prior to the breach are reset. These users will be prompted to reconnect their Canva account.
  • Coordinating with partners: We are working with partner agencies to share information about the attack, identify the risk to users, and coordinate responses. For example, we’re alerting the email abuse teams of major providers to make it harder for attackers to phish our users.
  • Partnering with 1Password: While we recommend that our users use different passwords for each site they use, we know that’s hard. We have partnered with 1Password to offer a year free to Canva users who don’t already use their service.

What can Canva users do?

  • Change your password: If you have a password on Canva and haven’t done so already, we are recommending that everyone change their password on Canva, and if you used the same password on other sites you should change those too.
  • Report suspicious emails: As a precaution, we’re encouraging everyone to be wary of suspicious emails. Attackers often use creative methods to trick you into handing over your personal information. If you do receive any emails that you believe are suspicious, do not click on them and do not respond. We encourage you to flag them with your email provider.
  • Use a password manager: We recommend you use a password manager such as 1Password or Google Chrome to generate and remember a unique, secure password for each site you use.
  • Update your Google/Facebook login if we’ve disconnected it: If you sign in using Facebook or Google we may have reset your login. Just login again to get back into your Canva account.
  • Update your contact details: Once you have logged in to Canva, please add or update your contact details so we can always contact you about your account.

A final word

We are deeply sorry that this has happened. Everyone at Canva has been on the receiving end of updates like this, and at a personal level we know how upsetting it can be. We want to rebuild and regain the trust you have given us, and will work hard to earn it.

Sebastian Welsh (Head of Security, Canva)

People also viewed

Log4j2 Vulnerability Update

On 10th December, 2021 AEDT , we were made aware of a remote code execution vulnerability ( CVE-2021-44228 ) related to Apache Log4j2 , a popular Java logging library. We undertook a thorough investigation to confirm that Canva desktop and mobile applications are not impacted by this vulnerability, and implemented layered mitigations to protect Canva systems and services. We are also working with our service providers to make sure they are taking appropriate action. At this time, there is no action required from Canva customers . We are actively monitoring the issue and will provide status updates upon significant change.

Protect your account

At Canva, we are committed to protecting your data and privacy. To help with this, we recommend doing the following for added protection to your account: Log in using your Apple, Facebook, or Google account Using a social login means you don't need to set or remember a password. After you log in to your provider, they're able to tell Canva who you are. Use a password manager Passwords should be unique and unpredictable. Using a password manager is the easiest way to set a strong password. It also allows using different strong passwords for all your logins without having to remember all of them. Pick a strong password Canva checks passwords against known data breaches. If your password was exposed in a third-party breach, you'll be asked to choose a different one. This protects your account from unauthorized access. Use a unique password you haven't used elsewhere. If you can't use a password manager, we recommend using a password that’s at least 8 characters . Avoid using the following as passwords as well because they’re easy to guess: A word by itself Recent years Straight rows of keys Sequences like “abc” or “6543” Repeats like “aaa” or “abcabcabc” Short keyboard patterns Names and surnames Context like the website name Dates We also recommend changing your password from time to time. Set up Multi-Factor Authentication When multi-factor authentication is set up, you’ll need to enter the 6-digit code generated by your authenticator app each time you log in to Canva to verify it’s you. This helps ensure that you’re the only one with access to your account. See Setting up multi-factor authentication to learn how to set it up. Sign out from all devices By signing out of all sessions, you can prevent other people from accessing your account without your permission. For instance, if you forget to log out of your account on a public computer, someone else may use that computer and gain access to your account. To learn how to do this, go to Log out of Canva . Use SAML authentication Canva Teams and Canva Education can use SAML to authenticate users via Single Sign-On (SSO) . Team administrators and owners can set this up.

I can't log in

Can’t log in to your Canva account? There are a few reasons this might happen. Check the common login issues below and how to fix them. If you log in with SSO (Okta, Microsoft Entra ID, Google, or another identity provider), see the common SSO login troubleshooting steps . Login code required after entering password For added security, you may be required to enter a login code after entering your password when logging in. This helps protect your account by verifying your identity. If you prefer, you can also log in using alternative methods like Google or Passkey .  Did not receive my login code If you did not receive your login code, the login code email may have been filtered into your spam, junk, or promotions folder by mistake. Please check your spam, junk, or promotions folder. If your login code’s not there, check why you’re not receiving emails with login, sign up, or verification codes. Once you’re logged in, go to Settings and set up a passkey . This adds an extra layer of security for your account and makes logging in faster on this device. No access to my email This usually happens when you’re using your work email and you’ve left the company or organization. Learn what to do when you can’t access your email . You can also add a recovery email to help you recover your account . If you’ve previously set up a recovery email, you can recover your account here. Note: This link only works if you’re logged out . Google or Facebook authorization pop-up closes automatically This can happen if a pop-up blocker is turned on. To fix it, turn off any pop-up blockers and try logging in again. Still stuck? You can log in by entering the email address you use for Google or Facebook—we’ll send a code to your inbox. You can also try logging in using a different browser. Learn about our supported browsers . If you’re logging in through Facebook and the issue isn’t fixed, see the “You must authorize Canva to sign in with Facebook” section below. “You must authorize Canva to sign in with Facebook” error This error appears when Canva isn’t successfully linked to your Facebook account. To fix it, remove Canva from your connected apps in Facebook. You can learn more about removing apps connected to your Facebook account (via Facebook Help Center). After removing Canva from your Facebook account, return to the Canva login page and select Continue with Facebook . You can learn more about Creating and logging into your Canva account. “Account is locked” error This can happen for the following reasons: You were part of a managed Canva account and were removed from it. Resolve this by contacting the account owner/manager or IT admin. If you subscribed to a Canva plan but not through the official website , you might’ve violated Canva’s Terms of Use and Acceptable Use Policy . “We can't continue for security reasons. Try to connect to a different Wi-Fi network, turn off any VPNs, or use another browser. If you still need help, contact us with the error code ” error Fix this error by following these steps: Connect to a different Wi-Fi network. Ensure that there are no VPNs used. Make sure to use Google Chrome when logging in. "Error 403: disallowed_useragent" This error means you may be using a browser accessed through another app when trying to log in. This happens when a design link is shared via WhatsApp, Facebook Messenger, Instagram, or another app that opens the link in the app’s own browser window. To fix the error: Open the link with your default browser or the Canva app.  Click the link again and choose your default browser when your device asks how you’d like to open the link.  If the pop up doesn’t show, copy and paste the link in your browser. I can’t access Affinity You need a Canva account to access Affinity. Learn how to access Affinity using Canva . I have password issues Resolve this by resetting your password from the password reset page . Learn more about resetting your password . Still can’t log in? Use our account recovery form to request access to your account. 

Contact Canva Support

Click on the following links to reach out to us: Contact our Support Team Report inappropriate content Ask about our Terms and Policies If you are a government authority or law enforcement, please follow the process outlined in our Authority Request Policy .

Log4j2 Vulnerability Update

On 10th December, 2021 AEDT , we were made aware of a remote code execution vulnerability ( CVE-2021-44228 ) related to Apache Log4j2 , a popular Java logging library. We undertook a thorough investigation to confirm that Canva desktop and mobile applications are not impacted by this vulnerability, and implemented layered mitigations to protect Canva systems and services. We are also working with our service providers to make sure they are taking appropriate action. At this time, there is no action required from Canva customers . We are actively monitoring the issue and will provide status updates upon significant change.

Protect your account

At Canva, we are committed to protecting your data and privacy. To help with this, we recommend doing the following for added protection to your account: Log in using your Apple, Facebook, or Google account Using a social login means you don't need to set or remember a password. After you log in to your provider, they're able to tell Canva who you are. Use a password manager Passwords should be unique and unpredictable. Using a password manager is the easiest way to set a strong password. It also allows using different strong passwords for all your logins without having to remember all of them. Pick a strong password Canva checks passwords against known data breaches. If your password was exposed in a third-party breach, you'll be asked to choose a different one. This protects your account from unauthorized access. Use a unique password you haven't used elsewhere. If you can't use a password manager, we recommend using a password that’s at least 8 characters . Avoid using the following as passwords as well because they’re easy to guess: A word by itself Recent years Straight rows of keys Sequences like “abc” or “6543” Repeats like “aaa” or “abcabcabc” Short keyboard patterns Names and surnames Context like the website name Dates We also recommend changing your password from time to time. Set up Multi-Factor Authentication When multi-factor authentication is set up, you’ll need to enter the 6-digit code generated by your authenticator app each time you log in to Canva to verify it’s you. This helps ensure that you’re the only one with access to your account. See Setting up multi-factor authentication to learn how to set it up. Sign out from all devices By signing out of all sessions, you can prevent other people from accessing your account without your permission. For instance, if you forget to log out of your account on a public computer, someone else may use that computer and gain access to your account. To learn how to do this, go to Log out of Canva . Use SAML authentication Canva Teams and Canva Education can use SAML to authenticate users via Single Sign-On (SSO) . Team administrators and owners can set this up.

I can't log in

Can’t log in to your Canva account? There are a few reasons this might happen. Check the common login issues below and how to fix them. If you log in with SSO (Okta, Microsoft Entra ID, Google, or another identity provider), see the common SSO login troubleshooting steps . Login code required after entering password For added security, you may be required to enter a login code after entering your password when logging in. This helps protect your account by verifying your identity. If you prefer, you can also log in using alternative methods like Google or Passkey .  Did not receive my login code If you did not receive your login code, the login code email may have been filtered into your spam, junk, or promotions folder by mistake. Please check your spam, junk, or promotions folder. If your login code’s not there, check why you’re not receiving emails with login, sign up, or verification codes. Once you’re logged in, go to Settings and set up a passkey . This adds an extra layer of security for your account and makes logging in faster on this device. No access to my email This usually happens when you’re using your work email and you’ve left the company or organization. Learn what to do when you can’t access your email . You can also add a recovery email to help you recover your account . If you’ve previously set up a recovery email, you can recover your account here. Note: This link only works if you’re logged out . Google or Facebook authorization pop-up closes automatically This can happen if a pop-up blocker is turned on. To fix it, turn off any pop-up blockers and try logging in again. Still stuck? You can log in by entering the email address you use for Google or Facebook—we’ll send a code to your inbox. You can also try logging in using a different browser. Learn about our supported browsers . If you’re logging in through Facebook and the issue isn’t fixed, see the “You must authorize Canva to sign in with Facebook” section below. “You must authorize Canva to sign in with Facebook” error This error appears when Canva isn’t successfully linked to your Facebook account. To fix it, remove Canva from your connected apps in Facebook. You can learn more about removing apps connected to your Facebook account (via Facebook Help Center). After removing Canva from your Facebook account, return to the Canva login page and select Continue with Facebook . You can learn more about Creating and logging into your Canva account. “Account is locked” error This can happen for the following reasons: You were part of a managed Canva account and were removed from it. Resolve this by contacting the account owner/manager or IT admin. If you subscribed to a Canva plan but not through the official website , you might’ve violated Canva’s Terms of Use and Acceptable Use Policy . “We can't continue for security reasons. Try to connect to a different Wi-Fi network, turn off any VPNs, or use another browser. If you still need help, contact us with the error code ” error Fix this error by following these steps: Connect to a different Wi-Fi network. Ensure that there are no VPNs used. Make sure to use Google Chrome when logging in. "Error 403: disallowed_useragent" This error means you may be using a browser accessed through another app when trying to log in. This happens when a design link is shared via WhatsApp, Facebook Messenger, Instagram, or another app that opens the link in the app’s own browser window. To fix the error: Open the link with your default browser or the Canva app.  Click the link again and choose your default browser when your device asks how you’d like to open the link.  If the pop up doesn’t show, copy and paste the link in your browser. I can’t access Affinity You need a Canva account to access Affinity. Learn how to access Affinity using Canva . I have password issues Resolve this by resetting your password from the password reset page . Learn more about resetting your password . Still can’t log in? Use our account recovery form to request access to your account. 

Contact Canva Support

Click on the following links to reach out to us: Contact our Support Team Report inappropriate content Ask about our Terms and Policies If you are a government authority or law enforcement, please follow the process outlined in our Authority Request Policy .

Skip to end of footer

Skip to start of footer

Suggestions will appear below the field as you type