CIO

Australian ‘unicorn’ Canva hacked

High-profile startup warns of security breach

High-profile Australian startup Canva has revealed details of significant security breach.

In a statement the company said that on 24 May it “became aware of a security incident”.

“As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI),” the company said.

During the breach a number of Canva usernames and email addresses were accessed. In addition, the company said that the hackers had obtained encrypted copies of Canva users’ passwords. The passwords were salted and hashed with bcrypt, Canva.

“This means that our user passwords remain unreadable by external parties,” the company said in its statement. “However, in line with best practices, we recommend that you change your Canva password.”

Canvas was launched in 2012. The company says it has “millions” of users across 179 countries. Those users create 10 new designs every second using the company’s online graphic design service.

The Australian Cyber Security Centre (ACSC) said it is “aware of a security incident affecting the Australian online design platform, Canva.”

“Canva assures the ACSC it has taken the necessary steps to mitigate the incident and is encouraging all users to change their passwords as a precaution,” the ACSC said in a statement.

Figures released earlier this month by the Office of the Australian Information Commissioner (OAIC) revealed that “cyber incidents” continue to be leading source of data breaches that threaten Australians’ privacy.

Sixty one per cent of the data breaches reported to the OAIC in the first three months of the year related to malicious or criminal attacks. Of those 131 breaches, 87 — 66 per cent — involved cyber incidents.