top of page

Canva under cyber-attack, with reportedly as many as 139 million users affected

  • San Francisco-based, Australia-founded graphic design platform Canva has experienced a “security incident” which has given unauthorised third parties access to user data.

  • The Australian Cyber Security Centre is urging Canva users to change their passwords.

  • Technology website ZDNet is reporting that hacker organisation GnosticPlayers has claimed responsibility for the attack, and that as many as 139 million users could be affected.

Australian-founded global graphic design website Canva has experienced what it describes as a “security incident” and is advising users to change their passwords.

In a statement on the Canva website, the startup said it had notified the relevant authorities.“

At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement said.

“On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).

“We’re aware that a number of our community’s usernames and email addresses have been accessed.”

The statement also confirms that “hackers” are believed to be responsible for the security breach. ZDNet has reported that hacker organisation GnosticPlayers has claimed responsibility for the attack and that as many as 139 million users could be affected.

Government agency the Australian Cyber Security Centre (ACSC) has confirmed that it has knowledge of the incident and is also advising users to change their passwords. Business Insider Australia understands that Canva proactively alerted the ACSC to the breach.

But not everyone is happy with Canva’s response to the attack. IT consultant and self-described “Drupalista” Dave Hall took to Twitter to criticise the wording Canva allegedly used in a communication sent to users on Saturday as well as the delayed response from Canva co-founder and CEO Melanie Perkins.

Responding to the criticism, a Canva spokesperson told Business Insider Australia that the company made changes to the initial email to users after receiving negative feedback.

“We listen to our customers’ feedback very carefully,” the spokesperson said. “We had some early feedback, and iterated on the email immediately. Here is the current email. We have also been communicating to users within the platform, on social media, and via our customer support channels.

“We are working with law enforcement agencies to ensure that all possible safeguards are put in place to help prevent a future attack. We will continue to notify appropriate authorities as our investigations progress. In the meantime, as a precaution, we are encouraging all users to update their passwords.”

Perkins and her Canva co-founder Cliff Obrecht have recently been added to the Australian Financial Review’s Rich List, with an estimated fortune of at least $500 million each following Canva’s most recent valuations.

Business Insider Australia has sought more information from Canva on the number of users affected. This story is developing and the article will be updated accordingly.

UPDATED 12:18PM 27/5/2019: This article was updated to include comments from a Canva spokesperson.


bottom of page