Weekly Summary

SPOTLIGHT, VULNERABILITY CHAT & PRIVACY HEADLINES
Share this analysis
Crowd

Vakinha, Canva and others fall victim of data leaks.

18 October 2020
BREACHAWARE HQ

A total of 3 breaches were found and analysed resulting in 1,024,581 leaked accounts containing a total of 2 different data types. The breaches found publicly and freely available included Vakinha, Canva and Anti Agent. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

Analysis of Public Data Breaches Involving Vakinha, Canva, and Anti Agent.

A trio of publicly available data breaches has resulted in the exposure of 1,024,581 user accounts, distributed across three compromised platforms: Vakinha, Canva, and a lesser known entity identified as Anti Agent. Despite the seemingly small number of data types involved only two categories of information were exposed, the significance of this breach event lies in the sheer volume of affected accounts and the diversity of platforms represented.

With over a million individuals potentially impacted, this set of breaches underscores key concerns about data stewardship, the lifecycle of user information, and the limitations of digital security across industries. The profiles of the affected organisations range from a crowdfunding platform and a widely used design tool to a platform that appears to have niche or politically sensitive applications. While the leaks may not include the most comprehensive datasets (e.g., lacking financials or full identity documents), the public and freely accessible nature of the data presents a substantial long-term risk, especially when combined with other available breaches or datasets.

Vakinha: Crowdfunding and Trust Exposure

Vakinha is a Brazilian crowdfunding platform that enables users to raise and donate money for a wide range of purposes, from medical expenses and educational pursuits to charitable causes and community driven initiatives. With financial trust at the core of its functionality, any exposure of user data from such a service carries sensitive implications, even if the leak includes only basic data types like email addresses and hashed passwords.

A breach involving Vakinha affects not just donors, but also fundraisers, some of whom may have shared personal or emotional narratives in connection with their campaigns. Even with only two types of data exposed, attackers could target these individuals using social engineering tactics, phishing emails, or reputation attacks. It’s worth noting that many crowdfunding users may not be tech-savvy, making them especially vulnerable to scams or secondary breaches that attempt to leverage the leaked information.

Given the platform’s reach in Brazil and the nature of its user base, this incident could also raise questions around compliance with data protection laws, particularly Brazil's LGPD (Lei Geral de Proteção de Dados), which shares similarities with Europe's GDPR. Whether or not Vakinha was obligated to notify affected users or regulators remains unclear, but the public availability of the data suggests that many users may be unaware their accounts were compromised.

Canva: A Familiar Name in a Revisited Breach

The inclusion of Canva, a globally popular design and publishing tool, adds immediate gravity to this breach summary. Canva has been previously involved in a high-profile breach in 2019 that affected tens of millions of users. While it’s unclear if this recent listing refers to a new breach or a subset of the older leak resurfacing, the fact that the data is freely and publicly available makes it a renewed threat.

Canva serves over 100 million users globally, including businesses, educators, marketers, and individual content creators. The compromise of even basic login credentials (which are among the two data types likely leaked here) could have wide-ranging consequences. Many users incorporate Canva into their professional workflows, and some may have integrated their Canva accounts with third-party services like Google, Facebook, or company SSO systems.

If passwords (even in hashed form) were part of the breach and not updated by users following the original incident, there is a strong likelihood of credential reuse across platforms. That opens the door to credential stuffing attacks that can impact not only Canva accounts, but also any associated services, especially if multi-factor authentication (MFA) was not enabled or enforced at the time.

This breach, even if technically “old,” serves as a reminder of how data breaches can persist in relevance long after the original intrusion. As new breach aggregators surface or previously private datasets are made public, the risk to end users can be reignited months or years after initial discovery.

Anti Agent: A Mysterious or Niche Platform

The least understood of the three breaches concerns a platform or entity labeled Anti Agent. Given the vagueness of the name, it may refer to a niche community, software tool, or politically aligned initiative, potentially one operating with a focus on anonymity or activism. The term "anti-agent" suggests associations with privacy, surveillance avoidance, or counterintelligence themes, though this is speculative.

In such cases, even small leaks of user data can be highly sensitive, depending on the nature of the user base. For instance, if Anti Agent caters to individuals seeking protection from monitoring, government oversight, or corporate surveillance, the exposure of account identifiers, even just emails or hashed credentials, could lead to significant personal risk.

The platform’s apparent obscurity may also mean its user base is relatively tight-knit or that its operators lack resources to detect, respond to, or disclose breaches effectively. The availability of the breach in public datasets may indicate that this incident went entirely unnoticed or unaddressed by the platform’s administrators.

Moreover, leaks from obscure platforms can sometimes serve as entry points into broader datasets, offering attackers usernames or password patterns that may be recycled elsewhere. In combination with larger or better-known platforms (such as Canva), even minimal data from niche platforms can enhance the success rate of credential testing attacks.

Minimal Data Types, Maximum Threat Surface

It is noteworthy that only two types of data were involved across these three breaches.

On their own, these data types might seem limited in sensitivity. However, they are foundational elements in the digital identity economy. Email addresses serve as unique identifiers across virtually all online platforms, and passwords, particularly if poorly encrypted or reused, are the master keys to personal and professional systems.

The volume of affected accounts (over one million) significantly amplifies the threat. The more credentials are exposed in a structured, searchable format, the easier it becomes for attackers to automate and scale their efforts, especially using existing tools for credential stuffing or phishing at industrial scale.

Breach Accessibility and the Open Threat of Public Datasets

A core concern across all three breaches is not simply that the data was leaked but that it was freely and publicly accessible. In contrast to breaches traded privately on forums or dark marketplaces, public availability means that any actor with internet access can obtain and weaponise the information.

This has implications not only for direct misuse (e.g., account compromise) but also for secondary harms:
* Identity spoofing in other communities
* Targeted phishing campaigns using platform familiarity (e.g., Canva-themed scams)
* Social graph mapping through reused usernames and emails

The fact that some of these breaches (like Canva) are possibly re-emerging adds to the long-term burden of data breach management. Users are unlikely to remember whether they changed their passwords years ago, and many small platforms never enforce password resets, even after a known compromise.

Broader Considerations

This group of breaches illustrates several key cybersecurity trends:
* Old breaches don’t die; they resurface, recombine, and reenter circulation in new forms.
* Platform trust is fragile, particularly when personal and professional use overlaps.
* Minimal data exposure can yield disproportionate harm, especially when large-scale and publicly accessible.

Whether involving small, niche platforms or household names like Canva, the implications of user data loss continue to ripple across digital ecosystems, long after the moment of compromise.

Data Categories Discovered

Contact Data, Technical Data.

  • Key Statistics
  • Breaches Discovered
    0
  • ACCOUNTS DISCOVERED
    594
  • DATA TYPES DISCOVERED
    0