Hushfolk
Back to breach centre

Canva breach guide

Canva data breach: what happened and what to do next

You do not need drama. You need signal. Here is the fast reality: what was reported, what may be exposed, and the practical moves worth doing right now.

Status: Confirmed

Last updated: 22 May 2026

Run free scan from this breach contextView sources
Canva breach summary image

Summary box

Incident date
01 May 2019
Reported date
24 May 2019
Sources verified
2

Company

Canva

Status

Confirmed

Data potentially exposed

Emails, Usernames, Names, Password hashes

Affected scope

Canva reported a large user-account breach affecting millions of accounts.

1. What happened?

An attack impacted account data at scale, with password-hash and profile information exposure reported.

  • Unauthorized access to user account data was detected and disclosed.
  • The incident involved credential-related and profile metadata elements.
  • Users were advised to reset credentials and review account hygiene.

2. Who may be affected?

  • Users with reused passwords across platforms.
  • Teams sharing workspaces with weak access controls.
  • Users who ignored follow-up account security prompts.

3. What should users do now?

  • Reset account credentials and rotate reused passwords elsewhere.
  • Enable MFA for core productivity and email accounts.
  • Review connected apps and revoke unnecessary sessions.
  • Watch for phishing that references design assets or team requests.

4. How exposure can spread beyond one incident

Creative-tool account data can be used for business-email compromise style scams.

5. How Hushfolk helps

Hushfolk helps users prioritize where exposed vectors may create downstream operational risk.

Check known breach and exposure signals

Terms in this article

New to security jargon? These quick definitions keep the page readable.

Need the full list? Open the security glossary.