Technology website ZDNet is reporting that hacker organisation GnosticPlayers has claimed responsibility for the attack, and that as many as 139 million users could be affected.
Australian-founded global graphic design website Canva has experienced what it describes as a “security incident” and is advising users to change their passwords.
This morning we’ve been alerted to a security incident that enabled access to a number of usernames and email addresses. As soon as this happened, we remedied the issue and alerted the authorities. To be overly cautious, we’d recommend changing your password.
— Canva (@canva) May 25, 2019
In a statement on the Canva website, the startup said it had notified the relevant authorities.
“At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement said.
“On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).
“We’re aware that a number of our community’s usernames and email addresses have been accessed.”
The statement also confirms that “hackers” are believed to be responsible for the security breach. ZDNet has reported that hacker organisation GnosticPlayers has claimed responsibility for the attack and that as many as 139 million users could be affected.
Government agency the Australian Cyber Security Centre (ACSC) has confirmed that it has knowledge of the incident and is also advising users to change their passwords. Business Insider Australia understands that Canva proactively alerted the ACSC to the breach.
But not everyone is happy with Canva’s response to the attack. IT consultant and self-described “Drupalista” Dave Hall took to Twitter to criticise the wording Canva allegedly used in a communication sent to users on Saturday as well as the delayed response from Canva co-founder and CEO Melanie Perkins.
Hey @lizmckenzie and the @canva team this is not how you start an email telling your customers you’ve been breached. #infosec #fail pic.twitter.com/XJdB3xcWEl
— Dave Hall (@skwashd) May 25, 2019
No mention of the Canva breach from @MelanieCanva‘s twitter account. Maybe she started reading the internal memo and thought it was all marketing crap so deleted it before getting to the crucial information.
— Dave Hall (@skwashd) May 25, 2019
Responding to the criticism, a Canva spokesperson told Business Insider Australia that the company made changes to the initial email to users after receiving negative feedback.
“We listen to our customers’ feedback very carefully,” the spokesperson said. “We had some early feedback, and iterated on the email immediately. Here is the current email. We have also been communicating to users within the platform, on social media, and via our customer support channels.
“We are working with law enforcement agencies to ensure that all possible safeguards are put in place to help prevent a future attack. We will continue to notify appropriate authorities as our investigations progress. In the meantime, as a precaution, we are encouraging all users to update their passwords.”
Perkins and her Canva co-founder Cliff Obrecht have recently been added to the Australian Financial Review’s Rich List, with an estimated fortune of at least $500 million each following Canva’s most recent valuations.
Business Insider Australia has sought more information from Canva on the number of users affected. This story is developing and the article will be updated accordingly.