Another day, another security breach carried out by the hacker known as GnosticPlayers. This time the target was online graphics design service Canva – and the account details of 139 million users were taken.
GnosticPlayers reported the hack to online technology website ZDNet, sharing a selection of records to prove their claims. The stolen data included Canva customer names, email addresses and basic location data.
The stolen information also included passwords. Speaking to the press, Canva was quick to reassure victims that login details had been salted and hashed using bcrypt, one of the most effective and secure techniques currently available. It is extremely unlikely that anyone will ever recover one of these passwords from the raw data.
Passwords are safe, but…
But it’s not all good news. Canva also allows users to create accounts using ‘Sign in with Google’. This simple to use technology allows you to sign into third party websites using your Gmail address and password. Google checks your details are correct and issues a ‘digital token’ to your computer and the website – Canva.
The digital token is proof that you are who you claim to be. Every time you access the website, your token is compared to Canva’s – if they match up, you’re logged into your account automatically without needing a password.
The problem is that if one of these tokens is stolen, the hacker is able to impersonate you. They can log into your Google-enabled accounts, potentially accessing and stealing any sensitive data you store there.
Tokens – a great idea until they are stolen
Digital tokens are designed to be simple – but that simplicity is often the same problem encountered when using traditional passwords. Reusing passwords is a bad idea – if one account is compromised all of your other accounts are at risk too. If a Google token is stolen, other accounts are also at risk.
To maximise protection, you should always use a completely unique password for every site. But that is incredibly difficult to achieve – especially when you probably have more than 100 online accounts to manage. And despite their simplicity and slightly more advanced security, digital tokens are also open to compromise.
Boosting personal protection
For maximum personal security (and privacy), experts actually advise against using digital tokens for logins. Instead they suggest using manual logins for every website and service you use.
A password manager, like that found in Panda Dome Complete, can dramatically simplify the login process. The manager will automatically generate a unique, complex, unguessable password for every website and service you use – and remember them automatically for you. You just need to remember a single password to log in to the tool and unlock the necessary details.
In the meantime, Canva users should reset their passwords as soon as possible. Any who were using their Google accounts should also reset that password to avoid problems with their digital tokens.
And don’t forget – you can always download a free trial of Panda Dome to test the password manager function.
The post Canva hack is a reminder of the importance of password security appeared first on Panda Security Mediacenter.