The graphic design website Canva was hacked last Friday in an data theft incident that reportedly compromised the data of approximately 139 million users.

According to an online support page, Sydney-based Canva detected the attack while in progress on May 24, and immediately took action to fix the cause of the breach. Exposed data included usernames, email addresses, and encrypted passwords, which were salted and hashed with the bcrypt algorithm. Actual customer names and city and country information were also accessed, according to ZDNet, which was contacted by the hacker.

“I download everything up to May 17,” the hacker reportedly said. “They detected my breach and closed their database server.” The report identifies the culprit as Gnosticplayers, a hacker that so far this year has attempted to hawk the stolen data of nearly one billion online accounts, via a dark web marketplace.

Customer designs and payment card information were not impacted, Canva’s team announced.

“Our teams have been working around the clock to investigate the attack and communicate with our customers,” the company statement reads. “We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers.”

Canva also said it is engaging with both forensic experts and law enforcement authorities, including the FBI.