Australian graphic-design-as-a-service company Canva has alerted its users to an attack that has seen "a number of our community’s usernames and email addresses ... accessed."
The attack was detected on Saturday, Australian time. The company's letter to users also adds "The hackers also obtained passwords in their encrypted form (for technical people: all passwords were salted and hashed with bcrypt). This means that our user passwords remain unreadable by external parties."
But the company is sufficiently concerned by the incident to recommend " ... in line with best practices we recommend that you change yourCanva password".
Canva's FAQ for the incident reassures users "There have been no indications that any user designs have been accessed" and adds that as the company holds no credit card data, users have nothing to fear on that front.
But the company has little to say on the source of the incident. "We are working with a forensics team that specializes in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack," the FAQ states, adding that "We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again."
Canva has over 130 million users and is one of Australia's most prominent technology companies, has recently acquire two image archive sites and been recognised among the nation's best workplaces.
The firm has also spent part of the weekend fighting a bug that left some users unable to download artwork they created with the service, according to the Canva status page.
CRN will update this story as more information becomes available.