On May 24, 2019, Canva — the Australian graphic design SaaS platform — suffered a data breach in which threat actor GnosticPlayers exfiltrated approximately 137 million user records. Canva was notified by Troy Hunt (HaveIBeenPwned) after the actor attempted to sell the data on underground markets, and notified users the same day. GnosticPlayers was a prolific 2019 breach actor responsible for stealing over 1 billion records across 8+ companies in early 2019 (including data later comprising Collection #1, Evite, GameSalad, Youthmanual, etc.). Exposed data included usernames, real names, email addresses, country of origin, bcrypt-hashed passwords (for approximately 61 million accounts), and partial payment information. Users who authenticated via Google OAuth had Google token data exposed. Canva forced password resets and invalidated OAuth tokens for affected accounts. While bcrypt password hashes are computationally expensive to crack (significantly more secure than MD5/SHA1), the exposure of 137M email/username combinations created substantial credential stuffing risk. The breach was one of the largest affecting an Australian tech company and prompted increased scrutiny of Canva’s security practices as the company was preparing for an IPO.