Smartphone on surface showing Canva logo.

Canva data leak: what the alleged breach could mean for users

An alleged dataset linked to design platform Canva has surfaced online, reportedly containing around 900,000 user records. At this stage, this is an unverified claim, and Canva has not confirmed a new breach. But the detail of what’s been shared is raising questions about how user data could be exposed, and what that might mean for those affected. 

So what’s actually been reported, and how concerned should users be? 

What has been reported so far

According to threat intelligence sources, a user going by the name “xorcat” has uploaded a database allegedly taken from Canva. 

The dataset is said to include:

  • Email addresses and full names 
  • User IDs 
  • Passwords (hashed) 
  • Sign-in methods 
  • Account activity data 
  • Platform usage details.  

The file has reportedly been shared publicly on a forum, meaning it could be accessed and downloaded by others. 

However, without independent verification, it’s not yet clear:

  • Whether the data is genuine 
  • How old the dataset might be 
  • Or how it was obtained. 

In this case, the passwords are said to be protected using bcrypt, which is a strong hashing method designed to make cracking difficult. But that doesn’t eliminate risk entirely. 

Is this linked to the 2019 Canva breach?

Canva previously confirmed a major data breach in 2019, which affected around 137 million users. That incident involved exposed email addresses, usernames, and some encrypted passwords. 

This newly reported dataset appears to be:

  • Much smaller (around 900,000 records) 
  • Structured differently 
  • Potentially from a different source or time period  

At this stage, there’s no confirmed link between the two. 

What Canva users should do now

Even though this leak is unconfirmed, it’s a good reminder to review your account security — particularly if you use Canva regularly. 

A few practical steps:

  • Change your password (especially if reused elsewhere) 
  • Enable two-factor authentication (2FA) if available  
  • Be cautious of unexpected emails, particularly those asking you to log in 
  • Check connected accounts, such as Google or Facebook logins.  

These are sensible steps regardless of whether this specific dataset turns out to be genuine.

We are keeping an eye on developments and will provide updates on this alleged breach if needed. 

Join the Claim connects consumers with SRA-regulated lawyers. Keep an eye out for updates on any potential claim and possible eligibility checks/registration opportunities.

This information is for general guidance only and does not constitute legal or financial advice.

You may also like:

  • Environment, News, Vehicle

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.
  • Data Breach, Financial, News

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.
  • News, Vehicle

Jaguar Land Rover DPF claims vs. dieselgate: What you need to know

Confused about Jaguar Land Rover DPF claims vs. Dieselgate? Learn the key differences, legal actions, and how to check if you qualify for compensation.

Latest news & insights

photovoltaic solar park renewable energy wind generators blue sky background
Ofgem reforms: what stronger energy consumer protections mean for you
The government is strengthening Ofgem’s powers to protect energy consumers. Here’s what’s changing and what it could mean for households.
Smartphone on surface showing Canva logo.
Canva data leak: what the alleged breach could mean for users
An alleged dataset linked to Canva has surfaced online, containing 900,000 user records. Here’s what’s been reported.
the logo of the brand "Rituals". Rituals is a company for Cosmetics.
Rituals data breach: what it means for UK customers
Rituals has confirmed a data breach affecting customer data across Europe and the UK. 
women travelers,waiting at train station journey,with luggage and large backpacks
Interrail data breach: why some travellers are being told to replace passports
Over 300,000 Interrail travellers had personal data exposed in a cyber incident. Some are now being advised to replace passports.
technician of health with blood tubes in the clinical lab for analytical / hand of doctor holding blood sample in tube test for analysis in laboratory
Nearly 200 Biobank data incidents raise concern as more private health records found online
UK Biobank data has reportedly been leaked nearly 200 times in a year. Here’s what it means for participants.
April calendar 2026 with Join the claim logo
What we’ve been working on at Join the Claim in April
A round-up of what we’ve been working on in April at Join the Claim, including new claims to watch, legal developments and practical consumer guides.
Warning road sign against a stormy sky saying Scam Alert
Scam alert update: April 2026
Stay alert this April with the latest scam warnings from Join the Claim
Smartphone on surface showing Google Play logo. Google Play is an app store.
What the Google Play Store claim means for UK users
Used the Google Play Store on an Android device between 2015 and 2024? Here’s what the UK claim against Google means for you.
Diagonal test tubes with blood with blue lids ready for test. Concept of medicine and science. 3d rendering
UK Biobank breach: can anonymised health data be traced back to you?
 UK Biobank says the leaked data was anonymised — but experts warn it may still be identifiable. Here’s why that matters.
A scientist in a white lab coat looks through a microscope in a laboratory. Another person is seen working in the background. The scene shows a busy research environment with equipment.
UK Biobank data listed for sale: what happened and what it means
 Health data from 500,000 UK Biobank participants was listed for sale online. Here’s what was exposed, what wasn’t, and why it matters.
Woman using Booking.com app
Booking.com scams explained: what “reservation hijacking” means for travellers
  A data breach at Booking.com is now being linked to a rise in so-called “reservation hijacking” scams. Here’s how to protect yourself.
employee and colleagues brainstorming how to fix employee data breach affecting systems
Employee data breaches are rising: what it means for your data
Employee data breaches are increasing across the UK. Here’s what’s happening & what it means for your personal information.
Man using smartphone to cancel subscription on digital app interface. Unsubscribe from online service membership or payment plan.
New laws will make it easier to cancel subscriptions and get refunds
New UK laws will make it easier to cancel subscriptions and get refunds. Here’s how subscription traps are being tackled.
AI concept Artificial Intelligence technology circuit motherboard chip computer
The dangers of AI: what consumers need to know
From data misuse and deepfakes to harmful content and bias, learn how AI can go wrong and what it means for your rights in the UK.
woman use booking app, booking com logo on the screen
Booking.com data breach: what travellers need to know
Booking.com has confirmed a data breach affecting customer booking details. Here’s how to protect yourself.
View all news

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a trading name of Join the Claim Limited, authorised and regulated by the Financial Conduct Authority (FRN: 1053404). Registered in England and Wales, Company No: 16245278. Registered office: 32 Eyre Street, Sheffield, S1 4QZ.

© Join the Claim All Rights Reserved |

2026
Go to claims