Canva suffers 'security incident'

Australian start-up darling Canva, which recently secured US$70 million from investors — valuing the company at $3.6 billion — has suffered a ‘security incident’ and has advised all of its users to change their passwords.

The hacker claims to have have stolen customer details such as usernames, real names, email addresses, and city and country data, with up to 139 million people affected.

In a statement on its website, Canva said that “we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first”.

“On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).

“We’re aware that a number of our community’s usernames and email addresses have been accessed. The hackers also obtained passwords in their encrypted form (for technical people — all passwords were salted and hashed with bcrypt). This means that our user passwords remain unreadable by external parties.

“However, in line with best practices, we recommend that you change your Canva password.

“We apologize for the inconvenience.”

The Australian Cyber Security Centre (ACSC) said that it “is aware of a security incident affecting the Australian online design platform, Canva”.

“Canva assures the ACSC it has taken the necessary steps to mitigate the incident and is encouraging all users to change their passwords as a precaution,” the ACSC said.

In a Twitter thread, a number of potentially affected Canva users have vented their concerns and frustrations over the timeliness of notifications about the problem.

Image courtesy Canva.

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.