Australian tech unicorn Canva has been hacked, with the data of about 139 million users stolen.
The start-up darling notified its users on Saturday of the attack, saying it had been made aware of it just the day before.
The company has since been criticised for how it initially communicated the hacking to its customers, with the email opening with details of its recent successes and acquisitions.
The personal information compromised included customer usernames, real names, email addresses and city and country information. No credit card or other financial information was taken, while passwords that were accessed remained encrypted, making them “unreadable by external parties”, Canva said.
News site ZDNet first revealed the attack after being tipped off by the hacker, known as GnosticPlayers. The high profile hacker is known for selling obtained data on the dark web.
The hacker has claimed to have downloaded user information up to 17 May, with the breach detected on 24 May and the database server closed by Canva.
Up to 61 million users had their password hashes taken, but they remained encrypted using the bcrypt algorithm, considered to be one of the most secure.
Canva is still advising all its users to change their passwords as a precautionary measure.
Twitter was not kind. Image: Twitter
“On 24 May, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI),” Canva said in a statement.
“We’re aware that a number of our community’s usernames and email addresses have been accessed. The hackers also obtained passwords in their encrypted form. This means that our user passwords remain unreadable by external parties.
“However, in line with best practices, we recommend that you change your Canva password.”Canva is now working with authorities to determine the source of the attack and how they gained access to the personal information of its users.
“We are working with a forensics team that specialises in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack,” Canva said in an FAQ on its website.
“We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again.”
The Sydney-based tech company was criticised for the way it first notified users of the hack, with an email opening with a paragraph of how Canva works to “empower” it users, and news of recent acquisitions before detailing the breach.
Canva later sent a more to-the-point statement to its users about the attack.
“At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement began.
The hacking incident comes just a week after Canva closed a massive $101 million Series D funding round which valued the company at $3.6 billion. The round included US venture firm General Catalyst and Bond Capital, along with existing investors Felicis Ventures and Blackbird Ventures.
It brings the total amount of funding contributed to Canva to $US140 million.
Last year Canva closed a $US40 million funding round which cemented the company as an Australian tech unicorn, valued at more than $1 billion.
The latest cash injection will be used by the company to grow global awareness of its services and continue expanding around the world.
Canva also last week acquired two large stock content sites – Pexels and Pixabay – adding more than 1 million free images to its platform.