Attack against graphic design site said to impact 139 million users

Canva, a popular online design toolkit, said it is working “around the clock” to investigate an attack on its systems that may have resulted in the data of 139 million users being compromised.

In an alert issued over the weekend, Canva said: “On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities.”

The Australia-based company said that “a number” of usernames and email addresses were accessed by attackers.

However, ZDNet’s Catalin Cimpanu – who broke the story after receiving a tip-off from the alleged hacker – said the number of potentially impacted Canva users could be somewhere in the region of 139 million.

In an update this morning, Canva said:

Our teams have been working around the clock to investigate the attack and communicate with our customers. We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers. We have also engaged forensic experts to investigate the incident.

In addition to usernames and email addresses, the company said the hackers obtained passwords in their encrypted form (salted and hashed with bcrypt).

While these passwords remain unreadable by external parties, users have been urged to change their Canva passwords.

The Daily Swig has asked the company if its investigation has shone any light on the number of impacted customers.

Blank Canva

Founded in 2012, Canva is a community-focused design site that allows users of varying abilities to create graphics for presentations, posters, and social media.

The tech firm, which gained popularity for its user-friendly drag-and-drop functionality, recently raised $70 million in its latest funding round.

In the days following the attack, the business came under fire from some users who claimed that the news of the security incident was buried below a paragraph of “marketing fluff”.

While these users do have a point, it should also be noted that Canva set about informing customers within 24 hours of being alerted to the incident, and since then has been actively answering questions on social media.

“The prompt honesty is much more appreciated than those companies who are afraid of admitting a breach,” said one Twitter user.

“Thank you for your honesty and transparency,” added another.

RELATED ‘Everybody has sharpened up’ – Australia’s breach notification law, one year on