Alleged Dataset Leak of Canva Exposes 900,000 User Records With Bcrypt Passwords, OAuth Providers, and Design Platform Usage Data

Summary

A threat actor known as xorcat has allegedly leaked a database of 900,000 Canva user records, containing email addresses, bcrypt-hashed passwords, OAuth provider information (Google/Facebook), account metadata, and platform usage data. The 102 MB compressed dataset was published as a free download on dark web forums with a 20-record sample for verification. While bcrypt hashing provides stronger protection than MD5 or SHA1, the exposure of linked OAuth providers and design platform usage data enables targeted phishing and account takeover attacks.

Full text

Dark Web Informer - Cyber Threat Intelligence Alleged Database Leak of Canva Exposes 900,000 User Records With Bcrypt Passwords, OAuth Providers, and Design Platform Usage Data March 31, 2026 - 1:38:50 PM UTC Australia Technology / Design Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-31 13:38:50 UTC Threat Actor xorcat Victim Canva Industry Technology / Design Category Data Leak Total Records 900,000 Users Data Size 102 MB (Compressed) Password Hashing Bcrypt ($2y$10$) Price Free (Public Leak) Network Open Web Auth Methods Google, Facebook, Email Country Australia Incident Overview A threat actor going by xorcat has uploaded a database allegedly from Canva, the widely used Australian design platform with over 170 million monthly active users worldwide. The leaked dataset contains 900,000 user records and has been published as a free download for registered forum members. The actor provided a 20-record sample to demonstrate the data's structure and authenticity. The dataset contains the following fields per user record: Account Identifiers: User IDs, email addresses, and full names. Credentials: Passwords hashed with bcrypt ($2y$10$), which is a strong hashing algorithm. Unlike MD5 or SHA1 leaks, bcrypt hashes are computationally expensive to crack, though weak passwords are still vulnerable to targeted attacks. Authentication Providers: Which OAuth method each user signed up with (Google, Facebook, or email), revealing which third-party accounts are linked to each Canva profile. Geographic Data: Country codes for each user. Account Metadata: Creation dates and last login timestamps, showing when accounts were created and when they were most recently active. Platform Usage: Team/brand data, design counts, and storage usage, which reveals how actively each user engages with the platform and whether they are individual or enterprise users. It's worth noting that Canva previously experienced a major breach in May 2019 that affected 137 million users. This appears to be a separate, smaller dataset of 900,000 records. The inclusion of design counts, storage usage, and team/brand data is particularly useful for identifying high-value enterprise accounts, professional designers, and business users who may store sensitive client work on the platform. Compromised Data Categories User IDs Email Addresses Full Names Bcrypt Hashed Passwords OAuth Provider (Google/Facebook/Email) Country Codes Account Creation Dates Last Login Timestamps Team / Brand Data Design Counts Storage Usage Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application Targets vulnerabilities in the design platform's web application or API to gain unauthorized access to the user database containing 900,000 records. T1555 Credentials from Password Stores Extracts bcrypt-hashed passwords from the database. While bcrypt is resistant to brute-force attacks, weak or reused passwords remain vulnerable to targeted cracking. T1213 Data from Information Repositories Extracts structured user data from the platform's database including personal profiles, authentication methods, usage metrics, and team/enterprise account details. T1589.002 Gather Victim Identity: Email Addresses Harvests 900,000 email addresses with associated names, country codes, and OAuth provider details for targeted phishing, credential stuffing, and social engineering campaigns. T1567 Exfiltration Over Web Service Publishes the stolen database as a free download on web forums, gated behind forum registration, with a vouch center for reputation verification. T1528 Steal Application Access Token The exposure of OAuth provider details (Google/Facebook) reveals which third-party accounts are linked, enabling targeted attacks against those connected authentication chains. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• malware — xorcat
• mitre_attack — T1190
• mitre_attack — T1555
• mitre_attack — T1213
• mitre_attack — T1589.002
• mitre_attack — T1567
• mitre_attack — T1528