Last month when the Heartbleed bug came to light, we immediately patched the exploit, and notified users via Notes, forums, and email newsletters, explaining Envato’s response and advising all Envato users to change their password.
Since then we’ve been tracking the number of password updates on our system and while it’s good to see some of the community being proactive about their security there’s still a large number of users who have not yet updated their details.
Along with the Heartbleed exploit, the last year also saw the highly public Adobe leak of user account details. These and similar security incidents have led to an increase in attempts to use leaked lists to find people with weak or repeated account details. In recent months, both prior and since Heartbleed, we’ve seen an uptick in these sorts of access attempts on the Envato userbase. While we deal with vulnerabilities and incidents quickly and aggressively, the most effective action is always a complex and unique password choice. That is why we feel it is now necessary to require all users to change their password if they have not already done so.
Required Password Reset
If you have not updated your password since the Heartbleed exploit patch at 06:42am on 8th April 2014 UTC and you are currently logged in to an Envato site, you will be logged out and required to reset your password before you can continue to use the site. If you are not currently logged in the change will be required when you next log in.
You will need to use a brand new password. Because we have much stronger password requirements than in previous years, this will simultaneously require all our users to increase their password strength.
I’d like to apologize for the inconvenience today’s measure will cause, but the security of all our member’s accounts has to be our first priority. Please review the FAQs below for more detailed information. Continue Reading