On May 24, 2019, Canva identified their systems were attacked and posted an announcement about the breach, urging users to change their passwords. 139 million users were affected, and information taken includes usernames, real names, email addresses and location. 61 million users' data included password hashes, and for other users, Google tokens were taken. . Seven months later, on the 11th of January 2020, Canva became aware of 4 million user passwords had been decrypted and shared online. Following the discovery, on the 12th of January Canva has forcefully reset the password of every user that had not changed it since the date of the incident.