It seems that the data breaches are coming in more and more frequently. This time more than 100 million people were affected and an immensely popular service came into the limelight in a negative way - Canva
So, what happened?
On Friday, May 24, 2019 (AEST) Canva became aware of an in-progress, malicious attack on their systems. As soon as they were notified, they immediately took steps to identify and remedy the cause and reported the situation to the authorities (including the FBI).
The malicious attacker accessed several Canva usernames and email addresses. The attacker also obtained cryptographically secure passwords (all passwords were individually salted and hashed with bcrypt). While this is industry best practice, it is possible to crack weak or obvious passwords with the use of enough computing power or just plain guessing.
Google tokens were also accessed, so changing those passwords is a good plan as well.
And here’s the kicker - Canva does not offer 2FA, so if the password is guessed, the account is breached. Same goes if you haven’t turned 2FA on for your Google and Facebook accounts that were used for sign-up.
No harm was done, right?
Canva was commended for their technical approach to this breach, in both detection as well as patching the breach as quickly as possible. The attack was opportunistic, and many have claimed that there is no long-term harm done from the data accessed. Though there is something to consider - social engineering.
We talked about this before - the use of small bits of personal data to obtain access to additional data, leading to the financial and critical personal data that can do severe harm to a person. So, any data breached or lost can be an issue.
Canva was also criticised for the initial notifications sent that began the email with marketing announcements. The email could easily be mistaken for a marketing email up front and thus deleted, leaving a considerable amount of people with their account even more vulnerable as they don’t know they need to change their passwords.
You can do more than just two-factor authentication
Whenever security issues come up (and they will), it is crucial to communicate them to the users and clients in an open, honest and clear manner. Both in what happened, what was taken, and what should the next steps be. It’s not just about having the right measures like hashing and 2FA in place, but also allowing the users to make the best decisions regarding their personal information.
There is no need to be overly dramatic, you don’t have to change your email accounts and delete your social media, but changing passwords makes sense, having 2FA makes sense, changing passwords on all accounts related to the email address that have similar passwords - makes sense.
So, in conclusion, there will be more and more breaches down the line. It’s crucial to be prepared both on the technical as well as the organisational side and communicate with the users so they can make the best decisions for themselves and their information. The best spin you can give is always honesty, even if you’ve made mistakes since that allows the loyal followers to keep their trust in the service, while the aspects of it are improved.