Australian start-up Canva has warned users to change their passwords following a security breach that took place on 24 May.
The graphic-design-as-a-service company said its systems were attacked with the hackers stealing passwords in their encrypted form.
Canva reassured users that their passwords were salted and hashed with bcrypt, meaning they remain unreadable by external parties. However, as a precaution, the company recommended users change their passwords.
According to Canva, a number of user names and email addresses were also accessed.
“As soon as we became aware, Canva immediately took steps to determine the nature and scope of the problem, and alerted law enforcement,” a company statement read.
“We are working with a forensics team that specialises in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack.
“We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again.”
Canva added that there was no suggestion that user designs were stolen by the hackers and that credit card details remained safe and “confidential”.
In addition, users logging on to Canva through Facebook and Google were unaffected by the breach and as such were not recommended to change their passwords.
The Australian Cyber Security Centre (ACSC) said it was aware of the incident and had been assured Canva had taken the “necessary steps to mitigate the incident”.
Founded in 2012, Canva claims to have more than 10 million users and 100 staff members. In January 2018, it reached a $1 billion valuation, earning it the moniker of a tech 'unicorn'.
According to the most recent quarterly report from the Office of the Australian Information Commissioner (OAIC), the number of cyber breaches fell to 215, making January to March 2019 the lowest reported period so far.
A total of 61 per cent of the reported breaches related to malicious or criminal attacks, of which 66 per cent of these involved cyber incidents such as phishing, malware, brute-force attacks, or compromised or stolen credentials.