Yesterday I posted here on Notes about a security breach and compromise of account details on the Tuts+ Premium service. If you have a Tuts+ Premium account, and have not done so yet, I strongly recommend reading that post and following the recommended actions to safeguard yourself.
I am posting now with more information about what happened, what we are working on, and what we are offering to affected users.
What We Are Working On
We are currently urgently patching the Tuts+ Premium system, and passwords will no longer be stored in clear text. I anticipate the service will be coming back online in the next 24 hours, with all passwords reset, hashed and individually salted (a best practice). It is still a work in progress so the timeline may change.
Additionally we have been working to identify the source of the breach and method of attack. We have now put in place and are adding further countermeasures for this exploit.
Our Tuts+ Premium service has been running for a long time on a product called aMember v3 which I purchased and installed in the early days of Tuts+. This product operates by storing passwords in cleartext as a way to integrate with WordPress and other services. This is not a good practice, and it was clear that we needed to move away from this setup.
In retrospect an immediate patch would have been the right approach, but through bad prioritisation and poor estimation of the work involved, I pushed forward a plan to build an alternative from scratch and get off aMember completely. I should also note that aMember had in the meantime released an upgrade to their service which deals with the issue, though an upgrade with our heavily modified system was a significant endeavour. As can happen with rebuilds, the project took longer than anticipated and consequently we continued on with a poor setup and high risk situation.
I’d like to take a moment to be clear that this wasn’t a failure of, or a reflection of, the professionalism and integrity of our development or Tuts+ teams. It is my responsibility as CEO of Envato to prioritise and make calls on issues like this, and I did not give it the urgency it needed. When our systems came under attack, the consequences became much larger and worse than they should have been.
From here on, along with addressing this situation, we are going to be taking a long and hard look across the company at all areas of security, even the ones we feel very confident about.
One month refunds for all current Tuts+ Premium paying members
In consideration of the downtime of the service, in the next 48 hours, we will be issuing a one-month refund to every current paying Tuts+ Premium account holder. This will be $19 USD for Monthly and Yearly members and $9 USD for Basic members.
We’ll be pushing out the payment of refunds as soon as possible on an automated basis, so there is no need to do anything in order to receive the refund. If you are a current paying member, you should receive a refund in the next 48 hours, either through PayPal or Moneybookers/Skrill depending on your current payment method.
Once the payment has been processed, we will post an update back here on this Notes post confirming it, along with information about what to do if something has gone wrong with your payment.
Two months of free access for ALL affected users
Regardless of whether a person was a current or expired member or just someone who signed up but never paid or used the service, we will be offering two free months of access to the Tuts+ Premium service. Despite this situation, I stand by our product as a fantastic resource and hope that this goes some small way to saying sorry to all the affected users.
Once the service is back online, I’ll post up more details about the two months free access. For now all efforts in this area are going towards bringing the patched up service back online.
How wide was the breach?
We would like to re-iterate that only Tuts+ Premium has been compromised. The security breach does not affect any other Envato sites, such as the Envato Marketplaces. And to be clear: other Envato services follow best practices with regards to the security and safety of data.
We have never stored financial data on Tuts+ Premium. We DID store each user’s username, First Name, Last Name, password, email addresses and payment email address, where provided. If you haven’t already, please urgently:
(1) Update passwords on ANY service you use that uses the same password as the ones you had on Tuts+ Premium.
(2) In particular you should consider your own email account, PayPal, Moneybookers, and other payment services. These are the most sensitive targets, and if you had the same password, you should consider this an urgent priority. If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use.
(3) If you use the same password on any other Envato service such as the Envato Marketplaces, you should change your password there too.
As outlined above I expect that within 24 hours we should have Tuts+ Premium back online with the cleartext password issue addressed, and information on how to access your account again. Within 48 hours we should have the refunds processed. And around that same time I should have a follow-up post about the two months of free access.
We’re extremely sorry
We are deeply disappointed this happened, empathize with all affected users and completely understand the level of outrage, frustration and disappointment that has been expressed. We are doing everything we can to make things right, and hope that over time we can rebuild your faith and trust in Tuts+ Premium and Envato by adhering to and championing security best practices into the future.
As CEO of Envato, I am personally extremely sorry and apologise to all our users and members, and to the staff, writers, instructors and developers who work on these sites. We will do better in the future.
If you have any questions, concerns or account-related requests, please don’t hesitate to contact Envato Support for one-to-one assistance: http://support.envato.com.