This morning Canva notified it’s users, including many small business team members, that they had experienced a data breach. As huge fans of Canva, several of us at Cynch also received this notification and were grateful for a number of things:

Notification sent to Canva users of the data breach they experienced.

That the breach had been contained quickly once identified, 👏
That the really bad stuff, like passwords, had been stored securely and were pretty safe, 👏👏
That Canva had publicly notified everyone, including it’s users, within the same day 👏👏👏

While every data breach is disappointing, Canva’s focus on making sure harm was minimised by notifying their millions of users with clear guidance on what it means to them and what action they should take should be applauded.

In an interesting twist, the hacker that attacked Canva also made some public announcements this morning providing a few extra details of the risk. A couple of interesting nuggets we noticed in the story published by ZDNet on the Canva hack included:

The hacker (known for selling previously stolen data on the darknet) was interrupted, leaving them with data up to May 17th,
Data included a fair amount of person information including real names and location,
Over 55% of Canva users were Gmail account holders that had possibly had their authentication tokens stolen.

Point 1 above is a good sign that Canva’s response was effective against the attack, however points 2 and 3 may need a little more consideration from small businesses.

Keep an eye out for suspicious emails

The data stolen in this breach is likely to end up for sale to other criminals in the coming days (if it’s not already). Having your email address stolen is certainly a pain and might increase the amount of spam you receive, but when other details like your full name and location are also stolen, the chances you’ll be targeted by more sophisticated phishing emails also increases.

To protect your business from these attacks, take extra caution in the coming days to question dodgy looking emails, and be extra cautious of those that appear to come from Canva. They know you’re a Canva user now so may try to misuse that information to trick you.

Don’t forget to let your team know as well, particularly if you think there’s a chance they’ve used Canva in the past.

Secure your G Suite accounts

This one is really only relevant for businesses, like Cynch, that use Google G Suite.

One of the awesome benefits of having a G Suite account is that for many services you can simply click a button and login without having to setup another account. Signing into online services like Canva in this way is something we recommend to our small business cyber fitness members as your team has to remember fewer passwords and it can give you as the business owner a central way of seeing what your team are accessing.

The other major benefit is that in the event that a service your team uses is compromised, like this morning, you can quickly figure out the impact and take action without simply asking your team to change their passwords and hoping they do. As with everything we recommend, you can do this in less than 5 minutes.

The first step is to figure out who in your business is using the breached service.

Audit your G Suite tokens to see if anyone was caught out in the Canva data breach.

Start by opening the “Token Audit Report” in the G Suite Admin Console.
In the left hand side of the screen, enter the name of the service in the “Application Name” field and hit search. In this instance you should search for Canva.
Take a note of anyone from your team shown on the right that was using their G Suite account to login to the compromised service.

Next you’ll want to revoke access for affected users

For each of the users that showed up in the audit log, you can remove the impacted service to revoke any access tokens.

This is a bit like resetting their password without actually having to pick a new one.

Search for the affected user in search bar at the top of the G Suite Admin Console
On the user’s account page, click on the “Security” card.
On the security page scroll down to the “Connected Applications” section and click on it to show a list of all the services connected to that account.
Look for the compromised service and click the Remove icon on the right hand side. In this instance you’re looking for Canva.
You should see a message explaining that this will remove the user’s access to the service. For Canva this simply requires them to reconnect their Google account, but be careful with other services as they may have a bigger impact.
Click Remove if you’re comfortable.
Repeat the same steps for any other team members listed in the token audit log.

Remove access to Canva in G Suite to reset your team member’s access tokens.

That’s it.

Each team member you’ve remove access for will need to reconnect their Google account next time they login to Canva or whatever service you revoke access to, but that 15 seconds of hassle should be well worth you feeling confident your team’s accounts are a bit safer.

Next Steps

Data breaches like the one Canva experienced today will continue to happen. Being prepared for these events is a fundamental step every small business owner should take to protect their business. Regularly reviewing things like token audit logs and putting a plan in place on what to do will go a long way.

If you’re a business owner concerned about the cyber risks in your small business, check out our Cyber Boot Camps or email us at hello@cynch.com.au to learn more about how we can help.

What to do if a service your small business team uses is compromised