Today we learned that the Tuts+ Premium server was compromised, and sensitive data including email addresses and passwords were accessed before we were able to detect and stop the unauthorized intrusion.
We have taken the site down while we ensure that account security is restored, and have reset the password for all account holders (active, inactive and expired). We will shortly email all account holders to let them know what has happened and what immediate actions should be taken.
Before we get to the details, I first want to apologise to all affected users. We are so sorry this has happened and will be working hard to mitigate and address the situation as much as possible.
In short, the server was compromised and the attackers gained access to a large portion of the system. Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted). The storage of cleartext passwords is a bad practice for a variety of reasons, but principally because any sort of compromise grants the attacker full password details.
Tuts+ Premium is the only Envato service that operates with cleartext passwords, and it was a known internal issue for us, with a plan currently in progress to upgrade away from the current plugin.
The breach was discovered earlier today, the exploits have been tracked down and removed, and the whole service shut down to ensure the compromise is isolated.
What Sites Were Affected
The only Envato service that has been identified as being compromised is the subscription service Tuts+ Premium.
What You Should Do Immediately
If you have ever signed up to a Tuts+ Premium account, even if you are no longer active, your account expired, or you just dropped off before actually paying, you will have an account in the compromised database. You should immediately change the password on any accounts that may have used the same password as your Tuts+ Premium account.
In particular, email accounts and financial accounts (such as PayPal or Moneybookers/Skrill) should be an urgent priority. If you had used the same password for any email account containing sensitive information, we recommend that you change the passwords for all your online accounts since an email account breach can be used to breach other accounts.
Similarly if you use the same access details on other Envato services such as the Marketplaces, you should make it a priority to update your access details across those services.
What Is Happening With Tuts+ Premium
We have locked down the Tuts+ Premium service and taken it offline while we first ensure that everyone at risk has been informed of the situation, and that the breach is isolated.
All user passwords have been reset to a randomized string, and I anticipate the service will be brought back online within 48 hours.
When Tuts+ Premium comes back online, users will need to choose new password to begin using the service again. And we strongly recommend using a password that is unique to Tuts+ Premium, and follows general password best practices.
I will also be posting more information about what we will be doing, going forward.
We’re Extremely Sorry
To all Tuts+ Premium account holders, and all Envato members who trust us with their private information, we are so sorry this has happened. We are deeply and urgently committed to addressing this situation and ensuring that the damage caused by the attack is minimized as best as possible.
As a company that teaches and preaches best practices, it’s deeply disappointing to me to not only have been the victim of a security attack, but to be running software that doesn’t follow those same best practices. This is a situation we will be working to address.
If you have any questions, concerns or account-related requests, please don’t hesitate to contact Envato Support for one-to-one assistance: http://support.envato.com.
A few users have asked if any financial information has been compromised. All payments are made via off-site services (PayPal and Moneybookers/Skrill), so information you put into those services (e.g. credit card details into PayPal) is NOT compromised.
However I would reiterate that if you are using the same password on one of those services, you should update it immediately.