Around 139 million customer records have been stolen in a hack that targeted graphic design tool website Canva Pty. Ltd.

The data theft occurred on May 24, with the details coming to light only after the hacker or hacking group behind the attack, GnosticPlayers, tipped off ZDNet Friday. The data stolen included customer usernames, real names, email addresses and geographic location information.

Canva, a startup based in Sydney, Australia, and a darling in a country that has lacked for successful tech unicorns outside Atlassian Corp., was notably slow to even notice it had been hacked and reacted only after the news went public. To make matters worse, the company informed users of the hack with an email that buried the details under what the Australian Financial Review described as “marketing fluff.”

Hey @lizmckenzie and the @canva team this is not how you start an email telling your customers you've been breached. #infosec #fail pic.twitter.com/XJdB3xcWEl

— Dave Hall (@skwashd) May 25, 2019

To its credit, Canva has been highly successful in offering a graphic design platform that some compare to Adobe Systems Inc.’s Photoshop. The company operates on a freemium model that includes a free tier with payments required to unlock additional features. Canva’s enterprise plan is priced at $12.95 per use for full access to all of its features.

While the details of the hack were first coming to light, company founder Melanie Perkins gave an interview with Nine Entertainment Co. about how she created the company off the back “kitesurfing and pitching.” If the flippancy post-hack by the company wasn’t bad enough, its FAQ page doesn’t improve things, providing little in the way of substantive detail and describing the theft of 139 million customer records as simply a “security indictment.”

“We are working with a forensics team that specializes in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack,” the FAQ states. “We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again.”

The company did note that passwords stolen in the hack were encrypted using bcyrpt, making them extremely difficult to hack.

GnosticPlayers has been in the news previously. A report in February noted that the person or group was selling account details hacked from gif hosting service GfyCat along with a range of smaller sites. Previously the group had offered for sale hacked user data from FitnessPal, MyHeritage, ShareThis and Coffee Meets Bagel. It’s likely Canva’s user details will be offered for sale on the dark web shortly.

Photo: hanuska/Flickr