Tuts+ Premium Account Security Compromised

 851   Tweet
!

This post hasn't been updated in over 2 years.

Update #3: Free Access Information

Update #2: Tuts+ Premium Back Online and Patched

Update #1: More Info, Refunds, Free Access

Today we learned that the Tuts+ Premium server was compromised, and sensitive data including email addresses and passwords were accessed before we were able to detect and stop the unauthorized intrusion.

We have taken the site down while we ensure that account security is restored, and have reset the password for all account holders (active, inactive and expired). We will shortly email all account holders to let them know what has happened and what immediate actions should be taken.

Before we get to the details, I first want to apologise to all affected users. We are so sorry this has happened and will be working hard to mitigate and address the situation as much as possible.

What Happened

In short, the server was compromised and the attackers gained access to a large portion of the system. Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted). The storage of cleartext passwords is a bad practice for a variety of reasons, but principally because any sort of compromise grants the attacker full password details.

Tuts+ Premium is the only Envato service that operates with cleartext passwords, and it was a known internal issue for us, with a plan currently in progress to upgrade away from the current plugin.

The breach was discovered earlier today, the exploits have been tracked down and removed, and the whole service shut down to ensure the compromise is isolated.

What Sites Were Affected

The only Envato service that has been identified as being compromised is the subscription service Tuts+ Premium.

What You Should Do Immediately

If you have ever signed up to a Tuts+ Premium account, even if you are no longer active, your account expired, or you just dropped off before actually paying, you will have an account in the compromised database. You should immediately change the password on any accounts that may have used the same password as your Tuts+ Premium account.

In particular, email accounts and financial accounts (such as PayPal or Moneybookers/Skrill) should be an urgent priority. If you had used the same password for any email account containing sensitive information, we recommend that you change the passwords for all your online accounts since an email account breach can be used to breach other accounts.

Similarly if you use the same access details on other Envato services such as the Marketplaces, you should make it a priority to update your access details across those services.

What Is Happening With Tuts+ Premium

We have locked down the Tuts+ Premium service and taken it offline while we first ensure that everyone at risk has been informed of the situation, and that the breach is isolated.

All user passwords have been reset to a randomized string, and I anticipate the service will be brought back online within 48 hours.

When Tuts+ Premium comes back online, users will need to choose new password to begin using the service again. And we strongly recommend using a password that is unique to Tuts+ Premium, and follows general password best practices.

I will also be posting more information about what we will be doing, going forward.

We’re Extremely Sorry

To all Tuts+ Premium account holders, and all Envato members who trust us with their private information, we are so sorry this has happened. We are deeply and urgently committed to addressing this situation and ensuring that the damage caused by the attack is minimized as best as possible.

As a company that teaches and preaches best practices, it’s deeply disappointing to me to not only have been the victim of a security attack, but to be running software that doesn’t follow those same best practices. This is a situation we will be working to address.

If you have any questions, concerns or account-related requests, please don’t hesitate to contact Envato Support for one-to-one assistance: http://support.envato.com.


Update

Financial Information
A few users have asked if any financial information has been compromised. All payments are made via off-site services (PayPal and Moneybookers/Skrill), so information you put into those services (e.g. credit card details into PayPal) is NOT compromised.

However I would reiterate that if you are using the same password on one of those services, you should update it immediately.

  • http://codecanyon.net/user/dtbaker dtbaker

    Ouch! Good luck guys! These things suck.

    • Zach

      These things are preventable.

    • Paul

      It’s their own fault.

    • joomlagraphic

      At least envato had the courage to tell us unlike most major corporations and banks. In those cases if you were truly affected you’d notice it by your bank balance within a week.

      Now I just need to locate some software that can save all my different usernames and passwords on desktop and mobile for the 50+ websites that I regularly use since my best one’s became my worst one’s.

    • https://syntress.com Lane Campbell

      Since no one else seems to be posting a link, let me recommend http://www.lastpass.com as a tool for everyone to keep unique passwords for websites. I’ve been using them for years and despite all these high profile hacks I have never had a serious issue. Switch to letting Lastpass generate your passwords today for some peace of mind.

    • Sean

      Wow, I pay $200 a year for something that can’t protect my information. Wonder how they are going to make it up to everyone.

    • http://blogryan.net Ryan

      1Password works pretty good for me saving my passwords, and is sync’d on all my computers with Dropbox.

    • Joost

      And if you don’t want to put all your eggs in the Lastpass basket, I recommend http://crypto.stanford.edu/PwdHash/ ! It basically hashes locally using your master password in combination with the url of the website, resulting in unique passwords for everything. With the firefox plugin, you won’t even notice you’re using it :)

    • Andre

      Good luck guys! Hope the site come online soon. Miss my training. I guess we will see a new Training series about security. :)

    • Ajmal

      @joomlagraphic

      To add to Lane Campbell’s point, say if you have 50 websites and 3 of them are identicals, you can use LastPass to locate which passwords are the same and change only the affected ones.

      But best to use LastPass with randomize passwords but in case you need a memorable ones and use it across platforms (like for your iPhone etc.), LastPass can help with that too.

    • Jason

      Wow I was visiting the site to sign up LOL NOT NOW!!!

  • http://flyerheroes.com Adam

    Thanks for the update Collis, these things happen I guess.

    Glad to hear you’re on top of the issue though!

    • Jonathan

      Adam, I appreciate your forgiveness, but I disagree. Saving plain text passwords should NEVER happen…especially not from an organization like Envato. This is very unprofessional, and if anyone should know better it is them.

      Frustrating.

    • Sid

      Oh yeah? “Things” shouldn’t happen. Especially for a site that espouses good practice in web development. Saying they had a plan to upgrade is a sad excuse.

      And like it or not people use the same password or a variation of it on multiple sites. It’s a major headache for a LOT of users.

      Envato has failed its users and failed miserably.

    • Zero

      I agree with Johnathan. Thats ignorant that a third party wouldn’t even encrypt passwords and just as bad that this third party software was used that it knowingly didn’t encrypt information. I know it’s the internet and virtually nothing is safe, but you could at least give them a challenge?

    • jay

      It’s nice you are so willing to forgive the loss of your personal information, but these things should NEVER happen. Saving passwords in clear text?? For real???

      I’ve been spending the better part of an hour (my time) scouring my online accounts changing passwords when needed and all they say is “Duhhh, I’m sorry”.

      Compensation is due here, not some hollow apology. There is an agreement when you sign up for a service that your personal information is secure, ESPECIALLY with a site that teaches you best practices.

      This is not only embarrassing, I feel it boarders on criminal.

    • Roberto

      I agree with Jonathan as well, If you use a plugin, you use it because it’s a better and a proven solution , not because you are lazy!

    • Farmers Not Felons

      >Thanks for the update Collis, these things happen I guess.

      Are you serious? These things happen because of a total lack of understanding about security. Plain text passwords in 2012? Come on, that is just pathetic.

    • joomlagraphic

      It is strange all the passwords weren’t salted hashes before they were saved. Perhaps it’s time for Envato to research a free secondary password activation policy via SMS like paypal offers?

      Considering Envato payments are similar to bank deposits at least Envato and its customers would feel much safer with an optional activation system in place for all it’s marketplaces and subscription offerings.

    • Peter

      I bloody well agree. Who in this day and age stores passwords as cleartext? Thats a security risk in itself! YOU should know better envato.

    • http://www.windkr89.nl Erik

      These things shouldn’t happen! It’s the worst thing you can do! It’s really bad practice that these passwords are stored as plain text and that we hear it now when it goes wrong. I didn’t expect that Envato would work this way, especially with all the tutorials about security.

      The longer I think about it, the angrier I get… so I should stop now….

    • Zeshan

      I agree with Jonathan,,
      But guys can you please tell me a bit about Plaintext Passwords..?

  • http://codecanyon.net/user/dtbaker dtbaker

    * points * amember signup links are still active from free tuts sites.

    • http://codecanyon.net/user/dtbaker dtbaker

      :) all goodski now

    • http://iamcollis.tumblr.com Collis Ta’eed

      Well spotted, that’s fixed now!

  • felix

    Kinda weird that you know that the plugin is storing cleartext passwords and you still using it. Especially from a site which teaches people how to do things I wouldn’t have expected that :/

    • http://iamcollis.tumblr.com Collis Ta’eed

      Hey Felix, I couldn’t agree more. We’re on our way to a better future, but clearly not fast enough.

    • ClusterFucker

      You couldn’t agree more but how long was this a known issue? How long did this sit in a defect queue waiting for something to be done about it? How many “shiny” features did you implement before this?

    • James

      WOW, Plain Text Really!

      I can’t get over that Envato, the go to place to learn about web security is not practicing what they preach!

      Really! 2 months free access….. try 1 year free access, we your customers that pay you $19 p/mth need to trust that our sensitive information is safe, which in this case might have well been in a public folder for all to see.

      Trust needs to be earned and after this it’s going to be very hard for Envato to get it back, but it can be done.

      However, 2 months free access is just an insult COME ON Envato this is a MAJOR fault that you knew about and you need to seriously stop being greedy and listen to your customers.

      As from the comments you aren’t going to very many left after this, so listen to us.

    • Fred

      Collis, Guys, not fast enough? This has NOTHING to do with speed! All you need to do was a basic Sha1 Salted on existing cleartext passwords! It would have taken – what, the length of time it takes to write a PHP script and to run a query. This is sheer laziness.

    • Rob

      It’s not that unncommon. U. Might be surprised at the companies still using this.

  • http://msfx.co.uk MSFX

    Wow. Ouch. Why attack a site where people go to learn…? :(

    • http://www.inspirad.com Joran den Houting

      They only searching for ton’s of data.

    • tpaulding

      Because there are usernames and passwords stored in an irresponsible fashion. You think a thief has merit?

    • http://blog.vamapaull.com vamapaull

      “Wow. Ouch. Why attack a site where people go to learn…?”

      To learn even more, about security :)

    • Tereško

      To illustrate WHY should should not try to learn anything from sites, which store passwords in plain-text format.

    • David

      They’re not attacking this site. They’re getting your password (which invariably is likely to be used elsewhere, too) to go attack YOU at other sites like banks.

    • http://chrisblackwell.me Chris Blackwell

      Most likely because someone knew they used the plugin that stored the passwords in an unencrypted fashion, and knew if they got access, they would have those passwords.

    • http://graphicriver.net/user/mrcharlesbrown mrcharlesbrown

      “Most likely because someone knew they used the plugin that stored the passwords in an unencrypted fashion, and knew if they got access, they would have those passwords.”

      You are right Chris. Someone already have the information.

    • Israel

      because they were hoping to get access to credit cards! it is a paid service after all.

  • Lexperts

    Shit happens.

    Nothing is safe anymore. But no one will realize that.

    • http://dongilbert.net Don Gilbert

      Ya but when shit does happen it can be mitigated with a little salt and hash! When it’s plain text, that’s what makes it unsafe. That’s the real issue here. I’m not surprised Envato was hacked, I’m shocked that they knowingly stored user passwords in plain text.

    • Lexperts
    • http://www.patricealbertus.net/search-marketing/ Palbertus@Swiss-SEO

      Nothing anymore.
      Linkedin, lastfm, playstation, wordpress.com and now Envato

  • http://www.adrian-lewis.co.uk Adrian

    Oh man… clear text? I’m trying to find a way of saying what I want to but I cant without resorting to… colorful language.
    So I wont. Sorry guys, I wont be renewing my membership.

    • http://pixelb.in Alex Pascal

      And I just signed up for a year with them… Looks like I will be claiming that money back guarantee. Being hacked is understandable and forgivable because it can happen to anyone (Sony, anyone?), but storing passwords in cleartext… come on! That’s despicable. Constantly disappointed with you and your dev team, Envato.

    • Israel

      I can smell a lawsuit coming up!!!

  • http://www.iotecnologia.com.br Nícholas André

    Cleartext passwords? Shit….

  • rob

    OMG – unencrypted WTF – and 19$/m, relay?

    • Kyle

      I agree entirely. A primary reason for charging should be that some of the revenue goes into protecting the customer from this kind of danger.

    • Matthew

      I agree as well, this is just bad, number one rule is to encrypt the passwords..

    • Diego

      i want my money back!!!!!!!!!!!!!!!!!!!!!!!! i wont renew my membership, im very sad!!! you failed me =( 19 $ /month?
      come on…………

    • Israel

      as a web developer student I just took a back end development class (4 week only) about using salt and proper security practices to store passwords, hey you guys should call me if you need someone to teach you how to do it because obviously you don’t know how. Just when I was feeling bad because I don’t know much. After this I don’t feel that bad :)

  • http://zck.in Zack Kitzmiller

    Seriously? You host hundreds (thousands?) or tutorials on your site about web development and stored passwords in plaintext?

    Talk about amateur hour.

    • http://www.epochdev.com Jeff Seals

      * Like

    • Ignacio

      * Like

    • hey

      Hey,

      F*ck you buddy.

      Sincerely,

      God

    • Roberto

      *SUPER DUPER MEGA LIKE*

    • bianca

      * LIKE!

    • Matthew

      *like

    • Peter

      like

    • Alfa9Dev

      * Like ²

    • gdi2290

      +1

    • Jhennee

      +1

    • http://codeangry.com/ Claude “CodeAngry” Adrian

      You sir are a gentleman and a scholar!

      I was just about to use profanity on the matter of CLEAR FK’IN TEXT PASSWORDS on such a huge site… but I decided not to.

      Amaterus!

  • Ian

    It would be nice if you could put a link in this letter that takes everyone to the account settings area. It seems that that will be where everyone will be heading anyway. Just makes it easier.

    Just my too cents.

  • http://samuelmullen.com Samuel

    Were the passwords encrypted at all? Are you using salts?

    If you are as concerned as you are, it tells me you weren’t using _basic_ auth best practices.

    • http://zck.in Zack Kitzmiller

      From the article.

      > Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted).

    • http://para.llel.us Parallelus

      Who even makes a membership plugin that uses clear text passwords? Was it free?

    • http://pippinsplugins.com Pippin

      It’s called Amember: http://www.amember.com/p/

    • Matto

      And amember can’t claim any ignorance on this issue, as these posts show:

      http://www.amember.com/forum/search/57563/?q=plaintext&o=date

    • Alfa9Dev

      This aMember plugin thing is somehow manages to be useful.
      But all they supposed to do, is to lookup it’s source code and change the way how they store the password. Easy As H**l.

  • Jay

    Thid really sux Collis. I really respect you and your company, so it’s like the hackers have hurt a part of me.

    Hope this just makes you stronger.

    Also – one piece of advice I think would help is to encourage people to regularly change their passwords anyway. A simple security precaution that I need to adhere to as well, especially after LinkedIn also got hacked.

    • David

      Not sure how you can say you respect him and his company now.

      They KNEW about the problem beforehand, yet still kept using the same stuff.

      All the sudden, they get hacked, we lose our passwords, and now there’s some kind of outpouring of support?

      This company accepted your money, and knowingly opened you up to attack.

      That is NEVER going to be cool in my book.

    • Dams

      “A simple security precaution that I need to adhere to as well, especially after LinkedIn also got hacked.”

      Yes but LinkedIn password were ENCRYPTED …

    • Jay

      I’ll say it again – I have a great respect for Collis. Nobody is perfect David.

      How many of the other Envato sites have cleartext passwords? None, and they had plans to solve this one also.

      You’re quick to blame, but how about you send some of your anger out towards the hackers. How many posts here are about the disgust and annoyance at them? They are the real problem.

      If LinkedIn’s passwords were encrypted, and they were hacked, then no one is safe. Have some forgiveness mate – you’ve never made a mistake before in your entire life?

      Or have you, and you just didn’t have the balls to sincerely apologise publically?

  • http://soundcloud.com/tyriquemusic Taarique Debidin

    Well, alright, I hope all works out well. These things happen, I’m sure it’s not your fault ;) Thanks for telling us.

    • Mike Thomas

      Actually it IS their fault for storing the passwords in plain text. They were aware of it but didn’t fix it.

  • gturner

    where the hell am i supposed to login to change my password?????????????????? link please????????????

    • http://themeforest.net/user/JamiGibbs Jami

      Hi gturner,

      We’ll automatically send out reset password details once the Tuts+ site is back online hopefully within the next 24 hours. Thanks for your patience.

  • Alex

    The same people who we ask and pay to teach us to be better coders/designers allow a script to host passwords in plaintext?

    You’ve got to be kidding me. Especially with all the news around this in the recent past.

    I’ve extremely disappointed and was a paying customer.

    • http://www.inspirad.com Joran den Houting

      Wasn’t it just 5 minutes of your time?

      $encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($password), $string, MCRYPT_MODE_CBC, md5(md5($password))));

      Easy as hell.

    • InsiteFX

      return gen_hash(‘SHA512′, $str . $salt);

      Gee was’nt Twitter that just got sued over this same mistake?

    • InsiteFX

      return hash(‘SHA512′, $str . $salt);

      Gee was’nt Twitter that just got sued over this same mistake?

    • InsiteFX

      return hash(‘SHA512′, $str . $salt);

      Gee was’nt it Twitter that just got sued over this same mistake?

    • Fede

      str_rot13($pass); // xD

  • Inge Thorin Eidsæther

    My subscription was cancelled a while ago and the password I used was unique to the site, but I have to wonder why Tuts+ rely on a plugin that stores passwords unencrypted in the first place?

  • Kris

    How can I log in to my account to change my password if you’ve replaced the website with a warning message?

    • http://www.whatsinadesign.com/ Rahul Parekh

      They have reset all the passwords so that’s not an issue.

      What you should do is change your passwords at Paypal/Moneybrookes and other sites you use if you used the same passwords everywhere.

  • http://www.philwesson.com Phil Wesson

    Thanks for the heads up. Unfortunately, this happens to everyone more often than any of us would like. I appreciate your hurry to let us know. Hang in there!

  • Sasa

    Thanks for letting us know so quickly..
    However, I am personally very very disappointed by the fact that site like this would save whole passwords in any format, after all attacks happening lately..
    Very disappointed.

  • Mark

    Were the passwords hashed and salted when stored in the database? If so do I still really need to be concerned? If they were not I am curious as to why?

    • http://monxas.com monxas

      you should read the article dude….

      they weren’t hashed nor salted. PLAIN TEXT. so yes, be concerned.

      And next tie read the article.

    • Nick

      Read The Fucking Article!

  • http://Jordanmerrick.com Jordan Merrick

    You store passwords in clear text? That’s pretty unforgivable. Give me one good reason why I should continue to use the services if you don’t take security seriously?

    • Jay

      Nobody’s perfect – give it a rest mate.

    • David H

      Sorry Jay, but Jordan’s right. Storing text in cleartext is unforgivable and a shocking breach of standard information protection.

    • David

      Hey Jay… the kicker is they KNEW about the problem already, and still kept their customers’ passwords in the clear.

      This is beyond reprehensible.

    • Mike Thomas

      “Nobody’s perfect, give it a rest”. Are you serious? Do you hold nobody accountable for their actions? This is unacceptable.

    • http://pippinsplugins.com Pippin

      Just because it was know about before hand doesn’t mean they’ve had time to fix it, come on guys. If it comes out that they’ve known of the issue for years, or even months, then sure.

  • Youssef

    are our passwords encrypted?

    • Hector

      read the article in full “PLAINTEXT”

  • João Sardinha

    Passwords stored as cleartext?? That is not acceptable at all…

    But thank you for the blog post and the email, at least people know what’s going on, thank you

  • Ben

    Were the passwords encrypted in the database?

    • http://- ThatGuy

      no they weren’t they were stored in plain-text, mind = blown.

  • Eric Labonte

    I was just about to subscribe for a yearly membership today… Guess I waited just long enough!

    Anyways, when do you think I will be able to create an account and subscribe to tuts+premium?

    • Ryan Tablada

      The post said they hope within 48 hours. Time will tell. But knowing the Envato guys, they are pretty solid on time tables and this should be a deadline that can be made.

    • Israel

      damn you still going to subscribe! some people never learn, you should be running away from this site

  • jrit

    Hi!
    Wooops.

    Question: how to upgrade data? When I go to http://tutsplus.com/, I can’t login, I just see the security post.

    Jrit

    • David

      Did you read the post?

    • jrit

      Yes, I did.
      Thank for your kind help.

  • http://www.smaizys.com Richard S

    C’mon unencrypted passwords? Really? Is that possible here an Envato and with those tutorial websites?

  • Bob

    Storing passwords or any other sensitive data in plain text is unacceptable.

  • http://logixstudios.com Brandon

    Thanks for the quick response. Best of luck in getting things back up to full speed. You provide a great service and people understand that these things can happen to even the largest providers. Cheers!

    • Dams

      “people understand that these things can happen to even the largest providers.”

      No people just understand that envato is run by a bunch of amateurs …

      Largest providers are ENCRYPTING password.

    • Brian

      @Dams Just FYI. Linkedin’s 6.5m passwords were hashed, how long did it take for the hackers to crack 80% of them? Less than a day? Encryption is but a speedbump for hackers, just another challenge to overcome.

      This guy cracked 900K of the Linkedin SHA1 passwords in 4 hours by himself, using OLD cracking software (John the Ripper).

      https://community.qualys.com/blogs/securitylabs/2012/06/08/lessons-learned-from-cracking-2-million-linkedin-passwords

      So sure.. they goofed by not storing them as hashes, but honestly, how many of the THOUSANDS of users on here actually used a truly secure password? How many of them could easily be bruteforced?

      So for everyone with your panties in a bunch about the breach; Chill, change your passwords, move on. That’s what everyone did for every other known breach.

      Bottom line is if you don’t want your data/personal information on the internet, cancel your ISP account, go grab a stick and a rock and enjoy living like a neanderthal.

    • Mike Thomas

      @Brian In the article you provided, he mentions that salting the hashed passwords would’ve made cracking the passwords much more difficult. Combine that with the user making their password strong, it’s highly unlikely that any hacker would spend the insane amount of time even attempting to crack each password.

      “Encryption is but a speedbump for hackers, just another challenge to overcome.”
      Except this “speedbump” is significant. It’s the difference between cracking a password by looking at it and cracking a password by spending a year trying to decrypt each password because a strong algorithm was used to both hash AND salt the password. If you haven’t encrypted a password before, you should familiarize yourself with how easy it is by reading one of the articles that this very site provides. They could have fixed the problem in a very short amount of time, but they didn’t, and they made it absolutely simple for the data to be compromised.

      You telling people to “chill” isn’t helping the situation. Do you really think people don’t have a right to be upset that the passwords were stored in such an insecure way? On a site that educates people on secure password storage, no less?

    • Mike Thomas

      @Brian If you’re interested in reading more, here’s an article explaining how salting the password would make it much more secure:

      http://crackstation.net/hashing-security.htm

  • http://- ThatGuy

    Sorry but it’s absolutely unforgivable that whoever handles your security is keeping passwords in plaintext. That is security 101. In an age where free SQL injection applications are available for lay people to use this kind of thing is utterly third-rate.

    • Ryan Tablada

      From the post the issue did come from a 3rd party plugin. It sounds like they had recently switched over other Envato sites to a different system and were looking to switch Tuts+.

      This forced their hand.

      Yes it is a simple security practice. Unfortunately details like this get passed up when deploying 3rd party plugs (and depending on how the plug was written it can be hard to fix).

    • http://tutsplus.com Jeffrey Way

      No – Tuts+ Premium has always been separate. The marketplaces run on an entirely different system, so they weren’t affected.

  • ALP

    For the premium you charge, one would hope that at the very least passwords are stored securely…

    • Dams

      Agreed…

  • Kate

    Question: if I stopped using my account years ago and I have no way of finding that old password I cannot check if I hasn’t used it anywhere else. How can I find out what the stolen password is?

    • Kate

      Never mind. I found it. Thanks for the info. Now I will spend rest of the week looking for any ancient places where I could have used that password. Not cool :-/

    • http://dongilbert.net Don Gilbert

      True story – they shouldn’t have reset it without giving us the opportunity to figure out what it was. I’m sure they have a backup of the DB. Maybe they could send out a mass email containing the passwords that we used.

  • Leonard

    Hearing that a service has been hacked and my details are taken doesn’t phase me in the least, for me it’s part of life online.

    But to hear that my password has been stored in plain text I find disgusting practice that’s completely inexcusable, I’m sure your developers realised this from the very first moment they started work on it and saying a third party app was the reason is an appalling excuse. You’ve really shown a complete disregard for protecting your confidential users data.

  • http://www.iuditg.com Udit Goenka

    Thank you for updating us about the situation. I appreciate that you guys took action so quickly.

  • David Tuite

    If I remember correctly, I signed up for TutsPlus at one point with a credit card. Can you confirm that no credit card details were stored on the compromised server?

    Otherwise, I appreciate your honesty.

    • http://envato.com Vahid Ta’eed

      Hi David, we don’t story credit card details at any point. We only accept PayPal or MoneyBookers/Skrill.

  • http://www.epochdev.com Jeff Seals

    I can’t believe TutsPlus uses a third-party plugin for registration. I mean, c’mon, you guys are in the upper echelon of tutorials. On top of that cleartext passwords?!? This is an outrage!

  • http://www.devongilchrist.com Devon

    I appreciate the quick, clear and open communication from you guys. Much appreciated!

  • Joseph

    “…makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)”

    Are you Serious?!?!

  • Dude

    Shame on whatever “third party plugin” stores passwords in plaintext and shame on you guys for using it. How many more breaches need to occur?

  • mic

    storing in cleartext is ridiculous, have u guys not seen this coming..

  • http://danielmcclure.com Daniel

    Luckily I used a unique throwaway password for your site but I’m still concerned that you were knowingly using a plugin that stores ALL user passwords in plaint text. Any company with your level of knowledge should know that was a disaster just waiting to happen.

    • Dams

      Well, they just proved they don’t have this level of knowledge…

  • Social

    a bit hard to change my password if the site is down but ok…

    • http://envato.com Vahid Ta’eed

      We are urgently working towards bringing the service back online and anticipate it should happen within 48 hours. We apologise for the inconvenience of Tuts+ Premium being offline during this time. When the site is back online, your password on the system will have been reset to a randomised string and you will need to update to a new password. Instructions will be posted on the site at the sign in point.

  • http://www.inspirad.com Joran den Houting

    “Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)”

    How do you mean? Are you guys stupid? That’s the bad dicition a big company can make. If your not even able to make a hash of it, then don’t use a plugin like that.

    Sorry but I thought your website was a little bit safer than this..

  • Hannes

    “Tuts+ Premium is the only Envato service that operates with cleartext passwords, and it was a known internal issue for us[..]”

    Thats a joke…
    Getting “hacked” is one thing but storing passwords in plain text is another where i cannot accept any excuses. Especially you should know that this is a no go!

  • http://www.seedprod.com John Turner

    Were these passwords stored in clear text?

    • Mike Thomas

      If you read the article, it says they were stored in plain text.

    • Anonymous

      Read.

  • JF

    Incredible. Hard to not be pissed off.

  • Michael Knight

    I’m sorry to hear you have been hacked, but on the other hand, I’m pretty applaud that in this day and age of site hacks happening almost every day that you guys have not got any encryption for our passwords and that you also knew that one day it could be a potential security threat, but didn’t do anything about it. Furthermore, some of your web tuts discuss this issue.

    Whilst I personally accept your apology, I do feel that I’m losing trust in company’s these days that play Russian roulette with our personal information. We put our faith in you to keep this info safe and it’s disappointing to find that it wasn’t even secure.

    I hope you get things back up and running soon.

    Mike.

  • Aditya

    When will the service resume.
    Was the paypal or skrill login address were also cracked by the mischief makers??
    Also I couldn’t believe Tuts+ still stores unencrypted passwords even after it has happened a few times in the past with others

  • http://n/a Ahmad

    I’ve recieved your email, and you told me to update any service that use the same email/password as the one I am using in your website. But I cannot remember what password I used in your website because now I cannot login to see what is the password.

    Please help!

  • Sharry

    Stored as cleartxt! How slow do you have to be?!

  • rzepak

    Now that’s a way to start new week.

  • Codezyne

    What in the world are thinking “operates with cleartext passwords, and it was a known internal issue for us” ?? The irony is so grand!

  • Kyle

    Disappointing guys/gals, using anything that depends on clear text passwords should be an obvious no-no these days. This will shake the whole credibility of the site.

  • Alessio

    Honestly guys it’s 2012. WHO THE HELL store cleartext password anymore?!
    I’m shocked

    • Rashidul Islam

      Me too

    • albo

      I agree!

  • http://podemski.info kpodemski

    Cleartext? Rly? In 2012? OMG

    And you teach us about safety …

    Very bad Envato…

  • Adrian

    Oh..
    Now I understand that was a big mistake to use the same password for my paypal. My last 120$ were sent to another account, I hope will get them back as I opened an issue on paypal. At least it was not a big amount. Lesson learned, unique password for each site or at least for most importants, email, paypal etc

  • cipa

    Sorry to hear this but…

    really? clear text passwords, are you guys kidding!?

    In 2012 you still save passwords as clear text? I would understand this for a stupid website, but for nettuts premium!?

    Not sure what say but this is really really really unprofessional.

    • Rashidul Islam

      shocked :(

  • Mariusz

    Plain text? Are you serious??? In 2012 do you use plain text for passwords???

    http://2.bp.blogspot.com/_GJ8Og4M7HBk/TDv7JdKP_rI/AAAAAAAAAjI/Co_IpvHK7sw/s400/double-facepalm.jpg

  • http://laranz.in Lawrence77

    ouch, after woothemes now tutsplus :( take care of other site too guys.

    Thanks,

  • Tristan Bessoussa

    SHAME ON YOU !

    Am I reading correctly : ” stores passwords in cleartext ” ?

    let me laught ? as a developper, the first thing we learn is “never store password as an unencrypted string”.

    And you, Envato, giving advices, providing tutorials via your premium service, learning students on how to code, you store un-encrypted password ?

    Do you know that in Europe, we have an european Law that forbids to store un-encrypted password ? If you breaks this law, you may have legal actions taken against you.

    I’m really angry at you, for that HUGE and UNFORGIVABLE mistake you’ve made.

    You clearly lost me as a customer of your marketplaces and as a reader on your “tutorials” website.

    @sf_tristanb

    • Frank

      So True.

      You have just lost a costumer for your premium services.

      I strongly doubt the quality and knowledge of your online training and articles. When you make such mistakes…

      Big time bummer!

    • Dams

      Agreed too. They should even refund us…

    • Chris

      Wow. So harsh. As if you’ve never made a mistake in your life. Have you ever been the CEO of a company like this? You act as if this plaintext password for Tuts Premium was the insight to your individual financial portfolio (which, come to think of it, would be COMPLETELY your fault for using the same password for a tutorial website as your banking password). Everyone must understand that this is a site for viewing quality tutorials that are professional and provide great information. I used a unique password for this site which is what I do for all the sites that I use, and IS GOOD PRACTICE for security purposes.
      Funny, in this day and age of corporations hiding, falsifying, covering and blaming someone else for their problems, we have a CEO that completely explains the situation and what occurred, and the mistakes that were made and all of you are OUTRAGED that something like this could happen…. give me a break. Take a chill pill… and realize that if YOU used good password practices, this ‘breach’ should not have affected any other sites that you use. At least they have the balls to be honest and are willing to make it right.
      I am OUTRAGED that people are completely over-reacting about this…. If my bank told me that they stored my password to my checking account as plaintext, I would be upset…… a tutorial website…. no.

  • http://dongilbert.net Don Gilbert

    Are you kidding me? You mean after Last.fm, Sony, LinkedIn and countless other websites have been in the news for the past YEAR because they encountered this exact same situation, you found yourself still storing passwords in plaintext? WTF?!? And then, to top it off, you reset all the passwords without the possibility for users like myself to even try to figure out what their passwords were so they would know if they need to change it anywhere else. This is entirely unacceptable.

    “Things like this happen” – are you kidding me? Hey envato, why don’t you browse the password section on CodeCanyon? Maybe you could find something there that at least doesn’t store it in PLAIN TEXT!!!

    http://codecanyon.net/search?utf8=%E2%9C%93&term=password – there – I did it for you.

    • aki

      As a customer you did not lose me. I still support you. I like how you handle teaching. Very easy to understand. Especially JavaScript. Would not suggest any solution you know better. i know how hard it is to handle thousands of new users and converting all website to a new system would not be easy. I would suggest giving out 2-3 great tutorials as a gift. We still would love you. I know Envato for being generous in its giving out new free tuts.

      Could you make one full course on nodeJS gaming. using TCP.

  • Nikita

    I have forgotten the password, when i tried to retrieve it, but it says email not found?

    • Bill

      I forgot my passwrod too. WTF!

  • Art

    Good luck with the fixes, but storing passwords in plain text… really?

  • Steve

    I can’t believe you weren’t encrypting passwords!!
    Maybe a tutorial on the importance of this is in order!

    Thanks for bringing this to our attention so quickly though and let’s not forget who the bad guys really are. Damn those hackers!

  • Jeff

    Has any financial data been compromised?

    • Ibrahim

      Hi Jeff, I hope you are well. We don’t store any type of financial data, all the payments are handled by PayPal or MoneyBookers/Skrill.

      Thanks!

  • Ross McLoughlin

    Hey,

    That sucks. I won’t be renewing my membership either.

    Ross

  • http://themeforest.net/user/pezflash pez

    Thanks Collins for alerting so quickly. But agree with almost all comments, storing pass on cleartext is pretty unnaceptable. Big mistake for such large company, and somehow surrealist considering the number of coders in this marketplace… :(

  • Sam

    Really disappointed to see news about how passwords were stored. Also, I managed to log in at http://tutsplus.com/amember/login.php with my old password and can access my account.

    Clearly my password isn’t part of “all user passwords”.

  • Josh

    One of the leading web dev resources stores passwords of paying customers in plaintext? Insert *expletives*. Epic facepalm of a fail. Really pissed off.

  • http://www.tritonseo.com/ Ollie

    Well, at least you guys are being up front and honest about it.

    Maybe there should be a course in the future on hardening your website from hacks?

    • Meshach

      Like they would be qualified to teach that?

  • http://apas.gr Apostolos

    Tuts+ Premium […] a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)

    — ARE YOU FUCKING KIDDING.

  • Scott

    You store your passwords as plaintext? Are you kidding me? Don’t you read your own tutorials? OK, so how do I change my password? I don’t see any link to do that. At least let me change my password now that you’ve compromised it.

  • Matthew

    I highly respect Envato as a company and didn’t expect you to be using such insecure software. Very disappointing.

  • http://f-j.co Fez

    Guys! I understand security breaches happen. But come on… I can NOT believe you were using a third party plugin that was storing users passwords in cleartext. That’s very irresponsible. I was expecting better than this : \

  • Seth

    I’m having a very hard time justifying paying for this now. You mean to tell me you preach security in your tutorials and end up saving my password in plain text. REALLY???

    How could this have been a known issue and not been priority NUMBER 1!

    This is a major lack of reason and to be honest I will be canceling my account moving forward. Your inability to fix this knowing it was an issue makes it clear that your priority is getting more users over protecting the existing users.

    This is inexcusable and unacceptable.

    Please feel free to read all the following tutorials on your own website.

    http://net.tutsplus.com/?s=security

  • luckyrye

    I enjoy how even the _accounts compromised post_ has a “related posts” section at the bottom. :-\

    *sigh*

  • Joram Oudenaarde

    Thanks for the quick notification… it sucks to hear that you’ve been hacked though :( Good luck with getting things back online/in working order!

  • http://lmgtfy.com/?q=bcrypt Srsly?

    You guys should consider getting out the making-websites business.

    Hopefully the market will do it for you.

    Cheers!

  • http://chandra.utama.us Chandra

    It is disappointing, it will risk all tut+ user.

  • p.

    “Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)”

    Are you fucking serious?

    Even a fucking 12 years old kid knows that this is fucking bad.

    With all the team members you have and the money you’re supposed to make, security should be YOUR TOP FUCKING SECURITY.

    So instead of acquiring dumb services such as snipplr that don’t work anyway, invest a fucking 100$ on a security consultant that will tell you what you do is fucking bad.

    See… this is why people don’t like to signup on online service anymore; this is why people want everything for free with no signup nor just giving their e-mail.

    It is 100% because of guys like YOU who make such fucking decision (to use a dumb plugin that doens’t hash your password… fucking SERIOUSLY!!!! can’t you re-do the plugin and use encrypted passwords?).

    Not only this is fucking unacceptable for a regular dumb free app but for a paid membership this is totally fucked up.

    Shame on you.
    Shame on you.
    Shame on you.
    Shame on you.

    The worst part of this mess is that you guys KNEW you were storing cleartext passwords – it’s not even like you had a DDoS from some china IPs… it is 100% YOUR fault!

    This is also why user stop inserting CC details in marketplace or ecommerce sites directly…

    By doing such dumb things, you don’t only fuck your company up, you screw an entire ecosystem… because nobody is going to renew its membership after this and that’s thousands of people who may not use a password on sites that don’t have dumb SSL UV green bar.

    • Seth

      I would like this if they installed a 3rd party plugin that allowed it.

  • http://twitter.com/yellowshark YellowShark

    Plain-text passwords… Awesome. Don’t worry though, I’m sure you’re not gonna be the last folks to get caught out like this.

  • Jason

    Cleartext? Are you serious? You should pack up your company and shut down, because if this wasn’t the number one priority then you really don’t care about your customers, and don’t deserve them.

    • http://envato.com Bob

      Couldn’t have said it better myself.

      Not only that, passwords have probably been stored in plain text since the beginning of TutsPremium, so at least 5+ years.

      And they say they were aware of it, yet didn’t make a move in 5+ years?

      Wow. Just fucking wow.

  • B.Prasanna

    Cleartext Passwords?! Absolute disregard for security!

  • Michael Mal

    A free month for those affected sounds like an acceptable apology…

  • Mel

    My monthly payment has just come out of paypal just as this news appears, I am sorry this has happened but cannot help but feel highly frustrated at the fact that envato “stores passwords in cleartext ”. I will be canceling.

  • http://butlerm.com Matthew Butler

    I truly can not believe the passwords were stored as plane text. Thank you SOOOO MUCH envato!! 3 days before my wedding as if I don’t have enough going on

    • doru

      congratulation for your wedding! :D

  • René Lux

    I am happy with the immediate notice, but seriously a premium tutorial service that stores my password in plaintext?

    For me this makes it look that I payed for some crappy product, how can you guys take yourself serious? The excuse that it was a external plugin is a complete non-argument. This shows that you guys you have a team of developers/managers that clearly don’t know what they are doing. Never ever should a plugin be used that stores security details in plaintext.

    And further more, you estimate that the website will be back in 48 hours. So why wasn’t this fixed yet, if it can be done in 48 hours now, it could have done in the last month. This is clearly also a case of very bad management!

    I was a very happy user of Envato products, but I seriously need to re-think if I am going to keep any accounts open at any of your products!

    I hope that there will be a very clear explanation how this could happen and why this decisions where made. And in what way these kind of mistakes are going to be prevented?

    With Regards,

    A very frustrated and disappointed customer!!!

  • Marcus Stephens

    Where do I go to change my password? I can’t find an account settings page anywhere? Can you please post a link

    • http://envato.com Vahid Ta’eed

      Hi Marcus, When the site is back online, your password on the system will have been reset to a randomised string and you will need to update to a new password. Instructions will be posted on the site at the sign in point. We currently anticipate the site should be back online within about 48 hours.

  • Anon

    I was first okay as i read the title, i have been a long time user but havn’t logged in, in 2 years so i forgot my pass.

    And when i read that you store it in cleartext…

    YOU FUCKIN RETARDS?

    • Thomas Bates

      I understand that this is stressful, and obviously a very bad mistake, but your comment is outright rude (unreasonably so).

  • http://www.krsiak.cz/ Krsiak Daniel

    getting hacked, ok
    that happens but … storing passwords in cleartext … ??? !!!

    to say “We’re Extremely Sorry” does not really help when someone’s money will get stolen from paypal or get access to email, that is fine too I guess … no it is not !

    guys
    stop teaching other people what to do (and charging money for it) … and clean up your own mess first !

    I had to change my paypal + gmail password just in case
    thanks a lot

    I was thinking about a year membership and major buy on ThemeForest
    I was paying customer, not any more

    good bye Evanto

  • http://www.twitter.com/csscallum Callum

    This is nothing short of outrageous behaviour from a company who clearly don’t practice what they preach. In no way, ever, under any circumstances, should it be acceptable to store users passwords as clear text.

  • Guilherme Rambo

    Oh that’s great! It’s really easy to change the password on ALL THE SERVICES I USE. You should pay me for having to do so.

    Every service provider storing passwords in plaintext should burn in hell ¬¬

    • Bill

      You use the same password for ALL THE SERVICES YOU USE and you’re pissed at Envato for poor security practices? Really?!?!

    • http://digitalformula.net Chris

      +1 for Bill’s comment. Anyone using the same password everywhere lost the right to complain about security long before Envato got hacked.

  • http://Isthisajoke? RP

    We’re in year 2012 and you still use cleartext to store password?! Are you f kidding me?! It’s such nightmare for me because I used same password on many important websites. What a f joke!

  • http://sibudi.net sibudi

    what kind of plugin, storing password in cleartext?

  • Seth

    Highly unprofessional. This is absolutely inexcusable and I demand not only a full refund for the entire subscription.

    It’s one thing if it’s a free site, it’s another thing entirely that I’m paying $19 a month on this.

    I instantly regret ever signing up for your service and will be unsubscribing as soon as your shitty wordpress site is back up.

    • Allan MacGregor

      +1

  • http://www.leihai.com/ Stephen Curtis

    The quality of the tutorials and material on the site would lead you to believe this is a community site run by industry professionals. Now, this confirms my suspicions that this is a community site run by extremely talented hobbyists. I’ve been a loyal reader of tuts plus since 2008 with PSD Tuts, and a premium member since you started offering paid service. I can’t believe this happened. There is no excuse for lax security.

  • Miguel Costa

    What other information do you store about your clients?
    The last ip used to log in?

    I made the stupid mistake to trust you guys with one of the passwords I use to access my private projects… I will now have change all my social media’s passwords, project management platforms and all the passwords on all the sites I worked on..

    And I hope that you didn’t store Ip’s, because if you did, I will have to find a way to change my static ip…

    I hope you guys will find a way to compensate from all the inconvenience you are putting us through…

    Dam I recommended you to all my closest friends..

  • Villi Magg

    I am very disappointed. I thought you were better than that. Using a third party plugin which stores passwords as clear text. And knowing about the issue and not rushing to fix it before after the intrusion!

    Needless to say I can’t take you guys seriously anymore and it probably wont come as a shock when people wont renew their memberships after this exploit.

    Good luck.

  • Dams

    WTF seriously. Not that you are selling “premium tutorials” that are in fact nothing more that what we could find on the web, but you are also stupid enough to store password in CLEAR en 2012.

    I now understand more why the tutorials suck so much when I see your the level of professionalism. I assume that the admin password on your servers should be “admin” or like “1234”.

    You SUCK so much, I WANT a full refund of your crap.

  • http://www.sleekweb.net Ryan

    Unencrypted passwords? Are you kidding me?!

    http://www.sleekweb.net/tutsplusHack.jpg

  • http://www.iuditg.com Udit Goenka

    Were you guys really saving the passwords as cleartext? seriously? :|

  • http://no.com Carrie

    MD5 jokers laugh at you. Also, its funny how this company has been operating for 5+ years and hasn’t gotten around to a huge security issue.

    Key points: We take your money seriously, however, your security.. Not sooo muchhhhhh.

  • http://www.designdeveloprealize.com Marc

    Wow, so clear text passwords… If it was a known issue internally then why not replace the plugin or drop it until you fix that issue!?!

    As for the rest of it, it happens but I am certainly reconsidering my membership

  • Ignacio

    Wow! Good luck but… Leaving unencrypted pass is a rookie and serious mistake. Anyway, I hope you solve it as soon as possible because I love your courses.

  • Steve

    Take it your valued members won’t be reimbursed for this breach then? If not i’ll go through PayPal as a breach of service…

  • Mike

    Plain text, not what I would have expected. Did they get our payment info as well?

    Collecting our money and ignoring common security is plain business incompetence.

  • E.T.Cook

    Exactly what everyone else has already stated – clear text? Your hypocrisy and competence know no bounds.

    You owe a lot more than an apology.

    • E.T.Cook

      *incompetence

  • Ja

    Is there a site to check if email address in the leaked list?

  • Kyle

    I would have been ok with the breach, as this stuff happens…. but clear text passwords? That’s unacceptable. I will not be renewing my membership next month.

  • Julien Rodrigues

    REALLY??? PLAIN TEXT??

  • http://twitter.com/creativityhurts Eddie

    I remember a while ago adding Tuts+ to plaintextoffenders.com so I guess it was just a matter of time.

    It’s such a shame especially since you guys that teaches others web development for $19/month.

    • Mist

      Ugh, how long ago is “a while ago”? I for one am interested in knowing how long this problem existed that they were supposedly “planning” on fixing.

    • doru

      But how did you know?

    • james

      Here it is from June 2011:

      http://plaintextoffenders.com/page/45

  • http://none cath

    Hi,
    I wonder does my credit card data that I use when buy things here was hack too?

    • http://envato.com Vahid Ta’eed

      Hi Cath – We don’t accept or store credit card data so this information as all transactions are via PayPal or MoneyBookers/Skrill.

  • Brian

    You should be ASHAMED of yourselves! PISSED

  • Mel

    On the day my monthly payment for your services renew, I get told you have a security breach and you store passwords in cleartext- I can’t help but feel frustrated. I will be canceling.

  • Adrian

    If you used the same password on email or paypal change it ASAP. Seems like the hackers already started to use the passwords…they have your email and your password in plain text so they just have to use them…like a copy&paste job for a 5 years old kid. That’s what envato gives use for the premium accounts. Once I can log in I will stop paying you guys.

    Any place where we can donate some $ so you can hire a developer that gives a fuck about us ? Not the ones you already have, that known the passwords are stored in plain text and leaved them like that for (how much ?) 1-2-3 years ????

  • Brian

    You indicate that sensitive data ‘including’ email and passwords were compromised.

    Can you specify exactly what information was compromised?

    I cannot recall exactly what information I was asked to provide.

    Were any of the following also compromised: addresses, billing information, alternate email addresses, security questions, phone numbers?

    • Michael

      hej,

      I got the same questions as brian and other users here….

      what exactly was stored in plaintext besides our passwords??

      At this point I expect from you at least to tell the whole truth about exactly what data was compromised by this hack.

  • Joe

    stores passwords in cleartext ? commmon, really!?!

  • Adrian

    And what if any of the developers that works at envato wanted to look over my emails ? They had my password in plain text. My mistake I used the same one, but wtf it’s 2012 !!! Wake up !

  • http://www.krsiak.cz/ Krsiak Daniel

    cleartext !!! … :D

    Envato, I will not be mean to you
    stop teaching people, give them money back

    saying “We’re Extremely Sorry”
    does not help when you have to change pass on email + paypal “just in case”

    saying “We’re Extremely Sorry”
    does not help poeple who will not maybe but eventually get stolen money and accessed their private emails

    saying “We’re Extremely Sorry”
    helps to people like me who WERE your customer to NOT TO BE your customer

    goodbye Envato
    goodbye the stupid person

    … who knew about it
    … who (some manager) was managing it in the first place
    … who approved using stuff that stores thousands people’s passwords in text text file !

  • adrian chen

    why would i want to learn from someone who makes mistake worst than me ? I find this a bit fishy on just how this happend right after our subs is renewed. I think i’m gona discontinue my sub after this month :[

  • TylerF

    Can I direct you to this tutorial (hosted on nettuts+) which may explain how to stop this happening.

    http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

    I don’t care that you were hacked or details stolen, it does happen, and there are a lot of arse-holes out there, however as a service provider of a premium service you have a responsibility to keep our data safe, storing passwords in plain text does NOT keep our data safe, why did you even use it in the first place? A third party tool that has such a blinding security issue is bound to have security issues elsewhere.

    You can forget about me renewing my subscription, glad I pay monthly otherwise I would be wanting a refund.

  • http://pippinsplugins.com Pippin

    Storing passwords in plain text is inexcusable, that is true, however, I’d like to jump in and say something on Envato’s behalf.

    Tuts+ runs on Amember, which is probably the largest, most used premium content / subscription system / service on the net. It runs thousands and thousands of sites.

    It is amember that stored the passwords in cleartext. I have personally used amember (and hated it) and there is one very serious problem (aside from the passwords): once you have a large member base established, it is very, very, even excruciatingly difficult to move away from it.

    The newest versions of amember have moved away from the clear text passwords, but, unfortunately, the system devs made it almost impossible to upgrade from the previous versions. Upgrading to the new versions mean completely, almost from the ground, rebuilding the site and any integration you have done with it.

    As Colis mentioned, the devs were aware of the issue and were in the process of moving away from amember (or upgrading to the latest). Unfortunately they were not quite quick enough.

    I do a lot of development on a large membership site that is also running amember (a version with plain text passwords), and we are working hard to move away from it because we are aware of the security problems.

    Believe me when I tell you, it is excruciatingly difficult and time consuming to move away from it.

    Amember is like black hole: you try and try to get away from it, but it makes moving your site and members to a different system so damn hard.

    It sucks that Tuts+ was using amember and that this happened, but I would consider throwing your fireballs in a slightly different direction: the largest membership software on the net.

    • http://google.com anon

      While the perspective is good, it’s important to understand how security of passwords is handled.

      Let’s say you have 100k users. They have 100k passwords in clear text.

      If it’s all in one sql table, you can run a script that will generate and subsequently store salted hashes. Writing the script should take about thirty minutes.

      If Amember is even remotely decent, it’s authentication module is probably contained in a very few set of files. So instead of checking a submitted password parameter, you create the hash and pull the salt from the email db entry, and build the hash on the fly. If they match, then boom, access.

      The entire process of moving over shouldn’t take more than about 2-3 hours, as long as Amember doesn’t have authentication code sprawled across the views.

      I know the folks at Envato are smart enough to handle things like this quickly and easily. If they aren’t smart enough, they find people who are, and pay them to do what they do best.

      This mistake has less to do with Amember, and more to do with internal scheduling and someone dropping the ball.

      They screwed up, they apologized.

    • Dude

      In this post from 2004 one of the admins of amember says they do not store in plaintext. http://www.amember.com/forum/threads/password-on-resend-sign-up-info-is-encrypted.14218/

      Why do you think this is wrong? It’s not difficult to find out, just look in the DB.

    • Mist

      BS. Excuses, excuses.

      Because guess what? Your site (what is it again, by the way?) could be hacked at any seconds, and your users will lose out on their information.

      Instead of shutting the site down (since you seem to find it impossible to migrate quickly), you’re leaving it up. You’re leaving it up for YOUR benefit, not for the customers whose data you know full well is just WAITING for someone to come along and steal it.

      Why haven’t you pulled the plug on the site yet? Because that would lose you customers and money. Your customers are standing on a ticking timebomb and you don’t even want to warn them because you’re trying to cover your own rear end.

      And THAT is why I’m ticked off about this. Once you find out that this issue exists, the RIGHT thing to do is to protect your customers. As a matter of fact, if Envato had shut the site down BEFORE the breach, fixed the problem, and then brought the site back up and explained to everyone why they did it? Yeah, there’d be a few people complaining, but everyone else would have been relieved and impressed that they were willing to go out on a limb like that in order to do the right thing.

      Heck, even a fake “scheduled maintenance” or “Server issues” would have worked to buy them the time necessary to fix such a big issue. Instead, they kept risking OUR data so it wouldn’t affect THEIR pockets.

      I’m about sick of people who put money over responsibility, and I’m about sick of the folks who defend them.

    • jarod

      Then why did they started using amember ?

      When you’re a bit professional and have to pick a technology, you compare every option and do multiple tests.

      Additionally, internally developing an “amember” for envato wouldn’t have been hard when you look at their teams’ size…

    • http://pippinsplugins.com Pippin

      In this particular case (the site I’ve worked for–I’m just an employee), amember was in use WAY before I came on. I’ve had to deal with the consequences of that. I would love to be able to send the company back to before they chose amember because I would never have allowed it.

      Personally, I have no idea why Envato chose to use amember in the first place. It really is a pretty awful piece of software.

    • John

      +1

      I would also like to offer a suggestion for where the fireballs should be directed: the hackers!

      Oh my goodness people – get over it. If LinkedIn can be hacked, and they encrypted their passwords, then nobody is safe.

      The hackers are the real problem here.

    • Israel

      they should be taking legal action against aMember for lack of protection for their users.
      Unless they are explicitly warning you about their policy of storing password in plain form, if that’s the case then we should take legal action against Envato for knowingly putting their users in danger

  • http://32bitdesign.co.uk Evil

    Really sad to hear but have full faith in you guys.

    Ross

  • Mike

    Sigh…yet ANOTHER site that stores our passwords in clear text…

    Am I going to have to send EVERY site I register for a support request before I sign-up to ensure they’re encrypting our passwords?

  • Felipe Arima

    Guys, at least you should provide us with some support to protect our information! PSN gave us 12 months of free service from AllClear ID PLUS.

    https://www.allclearid.com/

    I´m not a security/programing speacialist, but that “plain text” fields in passwords sounds really unsafe, I would really apreciate if you provide a service like that as a response for the trouble of verifying and changing passwords over multiple accounts.

    We are wayting for updates!

  • albertio

    >Tuts+ Premium is the only Envato service that operates with cleartext passwords, and it was a known internal issue for us, with a plan currently in progress to upgrade away from the current plugin.

    in other words ignore the other sites that were getting hacked hoping it would not happen – cleartext passwords

    it has been over 12 months since Sony got hacked and you made the same mistake

    good to see the websites that fail to update for the benefit of their customers have the it spelled out for them

    salt, hash no to much of an Inconvenience

  • Riki

    I’m as angry as many of the folks here are. I haven’t even logged in for a long time. The clear-text thing is bad enough, but I came here to try and figure what my password was so that I know which services I need to change that has the same passwords. Now it turns out I can’t even check. Wonderful.

    So I guess I need to change my password for every single service out there. Are you kidding me?

  • Dana

    I had a unique password. This really doesn’t cause me any trouble…

    But I don’t think I’ll be renewing my membership. It’s a blatant disregard of the well-being of your members, and from the very people you’d expect to know better.

    Very disappointed.

    • http://digitalformula.net Chris

      I’m with you, Dana. As someone that uses a different “randomly generated” password for every service, this doesn’t inconvenience me at all, other than remove access to the site for a while.

      That said, once this is all done and dusted, it’s difficult to imagine renewing a membership in case there are other major issues we’re not aware of (e.g. DB backups that still have those plain text passwords).

  • Adrian

    @Pippin It may be hard to update amember or replace it with another system, but wtf why they started with it ? They teach people to code, can’t they make their own system if the most popular one sucks ? Can’t they just find another one that fits their needs ? Can’t they add a bit of security to the actual amember script ? A lot of posibilities.

    • http://pippinsplugins.com Pippin

      When we (the site I work with) started with amember, we had no idea whatsoever that amember stored passwords as plain text. It was said to be a great piece of software (it was also one of the only ones around at the time) and there was no reason we should have suspected it was making such a terrible breach of security practices.

      I’m going to assume that the case was exactly the same for Tuts+.

    • Mist

      @Pippin – Please tell me the name of your site, so I can avoid it like the plague.

      Because who’s using third party software without checking and double checking that all of the security parameters are sound?

      I’m not perfect. And usually, I forgive very easily. I’ve even forgiven people for stabbing me in the back at work and elsewhere.

      But this was a major oversight, and the whole “we had a plan” thing pisses me off. I’ve worked in web development my entire career. When there’s a potential problem like this, we’ve always been called in – at night, on weekends, on holidays – you name it, we did not screw around with people’s sensitive information, and we certainly did not sit around planning without implementing at least a temporary fix to the problem.

      The problem should have been fixed IMMEDIATELY, and if they couldn’t fix it immediately, they should have simply taken the site down until they could. That would’ve been the RIGHT thing to do, instead of the crappy “we want to save ourselves some money and effort” version of things.

    • Rashidul Islam

      amember doesn’t use cleartext technology :(

    • http://pippinsplugins.com Pippin

      You’re telling me that you have checked every line of code of every single 3rd party piece of software BEFORE you used it? Nice try. That definitely doesn’t happen when the software has (at least until now) a very good public view of it.

      Amember has a huge following and is widely perceived as one of the best membership softwares out there. It’s for this reason that we (all sites that use it) should have been able to assume that it stored secure passwords. Unfortunately we were wrong.

      We’ve spent hours today, and every week, to move away from amember, but it’s difficult. Please don’t just yell and say “COME ONE, IT’S EASY!”, because it really isn’t. When you have thousands and thousands of users that you have to ensure do not lose access to their account while switching software, you have to be very careful and do test upon test upon test.

      In regards to amember storing (or not storing) passwords in plain text, yes, it most certainly does, as long as you are using a version prior to version 4. Version 4 uses secure passwords. Version 3 and earlier does not.

    • John M

      @Pippin This is not a matter of checking every line of code. It’s a matter of living up to the responsibility you have for your users when you store their data. This means taking reasonable measures to ensure that their information is not compromised. Not leaving passwords in plaintext is pretty much *the* most basic and one of the most important measures that needs to be taken.

      The storing of plaintext passwords can be noticed with even the most rudimentary of database inspection during testing. Testing that absolutely must be carried out before launching a service like this.

      While I can sympathise with your problem, if you had carried out due diligence when developing and testing your site you wouldn’t now be stuck with the task of transferring thousands of customers to a new system.

    • http://pippinsplugins.com Pippin

      Yes, it should have been detected before hand.

      Not arguing with you here, but in my case the problem was present long before I came on board ;)

  • Won

    You guys have been running this site for how many years?
    And like someone else mentioned, there were numerous incidents prior to YOUR current breach regarding the security issue. And you guys still neglected this issue. This is a complete disrespect to the customers due to utter laziness.

  • http://google.com Anon

    I’m fairly certain that Envato realizes this was a huge mistake. Whatever plugin this was, the developer should be shot in the foot. We’ve all made our share of mistakes, grabbing plugins that are clearly insecure. Perhaps the complexity of the plugin would mean that the Envato team would have had to invest time to get the issue fixed.

    There was a time when cleartext passwords were okay. (It wasn’t for long, but it did exist.) I can imagine this being a “urgent” task that was on a backlog behind all daily tasks, and just got pushed down the list a bit too far.

    While it clearly wasn’t an “acceptable” mistake, it’s one of many mistakes that can happen when a company doesn’t invest the time that is necessary to complete a product before exposing it to the world.

  • Ryan

    PLAIN FREAKING TEXT?

    I was contemplating renewing my Tuts+ sub, but now I will not until I receive word that the passwords are being bcrypted or at least hased/salted.

  • http://Ellio7.com Elliot

    Funny, in my first term studying web development we were taught to encode passwords. Seriously awful practice, and makes think what other important aspects of security you guys might of half assed. So dissappointing, if it weren’t for Jeffrey Way, I’d unsub. Friggin love that guy.

    • http://digitalformula.net Chris

      lol at the Jeffrey Way part – this topic needs some humour (even if only for a second). :)

  • Jared

    This is inexcusable. You should not be able to just brush it away by saying “sorry, we need to do better”

  • Alek

    I thought about canceling my subscription after watching of one extremely poor recorded course. How could you approve it to post to your premium area? I could hardly watch it till the end.

    Now you continue conforming your attitude towards your customers.

    Things add up. I am thinking. May be one more thing, and you lost me as a customer too.

  • aki

    aki on the 26th June

    Your comment is awaiting moderation.

    As a customer you did not lose me. I still support you. I like how you handle teaching. Very easy to understand. Especially JavaScript. Would not suggest any solution you know better. i know how hard it is to handle thousands of new users and converting all website to a new system would not be easy. I would suggest giving out 2-3 great tutorials as a gift. We still would love you. I know Envato for being generous in its giving out new free tuts.

    Could you make one full course on nodeJS gaming. using TCP.

  • edwinrojer

    Few weeks ago theme bought ‘them forest’ and some days later i was called by my credit card company that is commited fraud with my credit card.

    card was blocked instant

    can you indicate whether the credit card data was linked to your login details?

    • http://envato.com Vahid Ta’eed

      Hi Edwin – We don’t store creditcard details as all transaction are via PayPal and MoneyBookers/Skrill. Best contact support.envato.com but I suspect you will need to talk to the card provider for additional information first.

  • PHP Dude

    Data being compromised is one thing, but knowing about having a security hole and not doing anything about it is an entirely different matter.

    Throughout all the marketplaces, how many of them are very competent developers? Yes, loads. Buckets full of them. So God sake, just outsource some work

  • Haroon Khan

    This is absolutely unacceptable and I would like my subscription money refunded.

  • RP

    I need to know what password I used. NOW!!

  • Terry M

    Is no one curious what the third-party plug-in is? Is it something that other sites might be using? If you’re (hopefully) not going to use it anymore, I think you should say what it is… so no one else gets bit by this.

    • Terry M

      nevermind. just saw the post above

  • Matt

    how am I supposed to change my password of I can’t sign in?

    unlike some people that won’t resort to ‘colorful’ language, all I have to say is, ‘what a cluster-fuck!

    hugely irresponsible on your part.

    • http://envato.com Vahid Ta’eed

      Hi Matt, Completely agree with your thoughts. The password will be automatically reset to a random string following the server being brought online again. We’re working on urgent matter and currently estimate the service will be back online in less than 48 hours.

  • http://twitter.com/creativityhurts Eddie
    • Zach

      This would be funny if I weren’t quite so pissed off.

  • Marcus

    Where do we change our passwords? Can you post a link?

    • http://envato.com Vahid Ta’eed

      Hi Marcus, We are urgently working towards bringing the service back online and anticipate it should happen within 48 hours – We apologise for the inconvenience of Tuts+ Premium being offline during this time. When the site is back online, your password on the system will have been reset to a randomised string and you will need to update to a new password. Instructions will be posted on the site at the sign in point.

  • http://automatismosweb.gr George Girtsou

    This is so frustrating! Envato is a million dollar business and doesn’t even encrypt user passwords? What on earth did you expect?

    That is going to have a negative impact.

  • http://www.adrian-lewis.co.uk Adrian

    So the ones of you who are curious who this “3rd party plugin” is. It’s Amember. A system used to manage memberships.

    Thing is, the only thing I can find that mentions amember using cleartext passwords are references to versions that are over 4 years old. I’d love to be proved wrong on this, but it seems that Envato were using a script that was old as hell…

    Oh, and Envato guys, incase you’re not sure what to do next, Here you go. http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

    ….

    • http://www.adrian-lewis.co.uk Adrian

      Dammit, last few comments beat me on both my points :P

    • http://pippinsplugins.com Pippin

      As I mentioned above, upgrading from the old-as-heck version of amember to the new one (which supposedly doesn’t have the problem) is really a pain in the ass. That’s not to say it shouldn’t be done, because obviously clear text passwords is much, much worse than having late nights trying to upgrade a system.

  • sunnyP

    I guess this breach is going to make for a great Tut — ‘How to Properly Store Passwords’

    • TylerF

      There are plenty of NetTuts tutorials about password security, one of them even goes on to talk about how securing passwords in plain text is awful.

      Err, awkward…

  • ish@Page

    You teaching us about web development and how to secure it, but can not secure yours and sensitive our data. I’m new to web technology and I already understand enough about encryption and not use cleartext

    ish

  • ogiflak

    This is not acceptable, I don’t remember what password I was using there. And now I’m suppose to change all my passwords everywhere just beacuse you guys “forgot” to encrypt some stupid passwords?!

    uh uh, this is wrong…

  • vanessa

    Not to jump on the bandwagon, but I have to agree with everyone on this. While I do appreciate you disclosing the reason for the breach, too many companies use the excuse that they knowingly had some type of inferior infrastructure (physical or technological) and were planning to make improvements ASAP. I suppose now this will cost you more money and resources (and possibly loyal members) to fix the problem rather than having had prevented it in the first place. Really disappointing.

    • http://pippinsplugins.com Pippin

      Please read my comments above. The “inferior software” argument is a lot more than a cop out.

  • Luca

    sorry, but this is bad, very bad…

  • John

    Question for web people. If I recently changed my password(month ago), would the previous passwords be listed or just the newest?

    • Angelina

      It would depend on when the breach occured – it sounds like they discovered the breach this morning, but the hacker might have gotten data from over a month ago. Unfortunately to be safe I suspect you’ll need to change your password on any other site that uses either your old password from a month ago, or the newer one. Sorry, man. This stinks.

  • Zero

    This was quite a hassle. Is there anything for compensation? I can forgive getting hacked, but ignorance is another level. I’m very disappointed to read this blog and how open our information was.

  • Sajit

    The only reason I’m not pissed is cause you guys have top notch material on your site. I hope the situation gets resolved quickly. It was a pain in ass to change all my passwords.

  • Chris

    I am so happy now that I updated my password so some random 20 characters about 2 weeks ago. Timing could not be better!

  • Zach

    I have written for and used Tuts+ and your marketplaces forever. This is terrible, clear text? Are you kidding?

  • Kevin

    Who in the HELL stores passwords as cleartext? That’s like a 1998 mistake, not something that’s acceptable for 2012. At the very least salt and stretch your passwords, and use bcrypt whenever possible.

    I’m really beginning to wonder if any engineers these days are actually competent at their jobs. LinkedIn, eHarmoney, etc etc all getting passwords leaked all of a sudden. It’s becoming hard to trust other websites with my login credentials.

    For everyone else I’d recommend not using the same password for multiple sites. I’d recommend using something like 1password to generate new passwords for each different (and manage them). At least that way if one site’s password is cracked they won’t have access to other sites/email/facebook.

  • http://twitter.com/twittem Edward McIntyre

    I have to echo the distaste of the other commenters in discovering that the passwords were cleartext, and even more distaste for the fact that this is a known issue that went unresolved. Something that was overlooked in the initial email, so I am glad I read the post here.

  • Allan MacGregor

    Clear Text passwords ?! Disappointing from a site like Envato. I won’t be renewing my membership. There is no justification for doing that and Envato knows better.

  • http://tomwalters.co Tom Walters

    This is absolutely ridiculous, the fact that they were in plain text is in itself insane, but with all the scandals with companies such as LinkedIn recently, why wasn’t this fixed sooner?

    It’s not as though you’ve ignored a complex and misunderstood security issue, you’ve ignored the most basic principle of user system design.

    Coming from those who teach the next generation of web developers this is disgusting.

  • http://www.soundonsound.com Duwayne

    Clear text? You f***ing idiots!

    • http://twitter.com/twittem Edward McIntyre

      Side note: I love that these comments are moderated, yet something like this gets through. Thank you for the intelligent addition to the conversation.

    • Mist

      @Edward – In an event like this, Duwayne isn’t required to nor should he be expected to add something “intelligent” to the conversation. This was completely IDIOTIC. Who says that we’re required to try to sugar-coat it, to protect the delicate feelings of the people who screwed up in such a massive way?

    • http://www.soundonsound.com Duwayne

      (I’m echoing much of what @Mist said)

      @Edward – Expression of emotion due to a colossal f*** up is idiotic? What world do you live in? Storing passwords in an encrypted database is paramount in today’s environment. I would love to hear the reasoning behind that decision.

      I’m glad my internet practice of have different passwords to my services has protected my from this being a major disaster, but that doesn’t take away from my original statement. Clear text? You f***ing idiots!

      Thanks moderator for letting my comments through.

  • http://tutsplus.com Jeffrey Way

    Hey guys –

    As the lead web dev instructor on Tuts+ Premium, I have to say that I’m as shocked to hear about this as you are. It’s inexcusable – but I also know that Collis will deal with the aftermath as well as humanly possible.

    • http://www.krsiak.cz/ Krsiak Daniel

      hi Jeffrey,

      I like your post
      I follow you a long time, learnt a ton, big respect

      so below, nothing againts you

      this is managment issue of big proportions
      the point is not all people are savvy users enough like some folks who has 2 emails

      1.] perosnal super secret
      2.] some special using only and only for registrations to sites

      which is super smart

      but that is only a handful of people
      other are normal users who more use their own email everywhere

      and as someone mentioned above
      some people use same or similar passwords from time to time on other webs

      I change password about each 3 months
      and eventhough my gmail got hacked some time ago

      and I had = 24 characters long pass, numbers, letters, special characters

      I believe you can imagine how outrageous and offensive for trusting, paying customers to realise that subject you give your money, creditcard details and stuff, keeps this in a “text file”

      not good and I as many other people cancel all and leave Envato for good as it is

    • Amanda Hackwith

      I also want to re-enforce what Jeffrey’s said here. I head the team of instructors for creative courses. This situation is not a reflection on their knowledge or content. Our instructors are very talented in their respective areas and great teachers.

    • http://www.krsiak.cz/ Krsiak Daniel

      @Amanda

      hi I get that
      I am saying that this is management issue not any of any lector

      I like Jeffrey, learnt a ton from him
      for example how to use SASS + COMPASS last weekend :)

      skilled guy, huge respect

      I was just being ironic on this whole situation here
      because it puts a lot of smart people here at risk (money)

    • http://pixelb.in Alex Pascal

      If the site was built and run by the same guys that run the content, this would have never happened. Sadly, the real professionals only pump out the awesome content and don’t have control over the site backend and source code.

      Thanks Jeffrey and crew for making great content!

    • Paul Tanui

      This is really sad to learn. Tuts+ has been my most reliable site in learning, especially your tutorials Jeffery, Sorry guys

  • http://www.boostclic.com/en Advertising Network

    Thank you for updating us about the situation. I appreciate

  • Matthew

    how do i change my password….and then unsubscribe to you, unless you’re willing to offer all of this for free forever.

  • http://bluzgraphics.com BluzThemes

    WTF?! you wanna tell me you didn’t encrypt the passwords at all?! Good things I let us know before anything bad happend.

    I know this stuff can happen but seriously that’s a newbie mistake guys, I expected more from you.

    Disappointed and shocked,
    Paz.

  • Juan Carlos

    Nice company clear text passwords >>>>

  • http://automatismosweb.gr George Girtsou

    @Jeffrey: So what Collis next move is going to be? How are you guys going to deal with this?

    • http://tutsplus.com Jeffrey Way

      That’ll be up to him, as the CEO. But clearly, we ensure that this never happens again. And then, on Nettuts+, I’ll supplement that by launching a bit series on security.

    • http://dongilbert.net Don Gilbert

      Jeffrey – hopefully that will be a FREE tut series, so we don’t have to subscribe again to tutsplus to get it.

    • http://tutsplus.com Jeffrey Way

      Yes – Nettuts+ content is 100% free. :)

    • http://www.krsiak.cz/ Krsiak Daniel

      I am sorry Jeffrey
      I know you mean it good and all but

      “supplement that by launching a bit series on security”

      is a big joke and will hardly fix it

      anyone not naive, will login in Tuts+ when possible, unsub, and cancel all stuff on Envato afterwards

      just imagine people Troja saying the next morning they got massacred by those Greek folks:

      “hey mate, the big horse felt suspicious, and all, I know we knew it but what the hell, we let him in anyway”

      sounds similar, sorry

    • Dams

      “That’ll be up to him, as the CEO. But clearly, we ensure that this never happens again. And then, on Nettuts+, I’ll supplement that by launching a bit series on security.”

      I don’t care about you doing the jobs that should have been done since the beginning. I want my money BACK. I paid a one year at time…

    • http://tutsplus.com Jeffrey Way

      @Krisiak – It’s not attempting to make up for it; I’m simply noting that, on my site, Nettuts+, we’ll make a bit effort to encourage better practices.

  • Ten

    We, as paying customer, need a explanation
    1) WHY our information were stored in plain text!!! ? where is your responsibility? !!!! (Disappointed !!!)
    2) HOW Envato can ensure their future customer (if they still want to be) these kind of problems will NOT happen again in the near future
    3) WHAT compensation Envato will pay for the customers loss
    4) Make a series of tutorials about how to enhance website’s security in practice (if people still trust you… sigh).

    • Anonymous

      They answered the first point – off the shelf software that didn’t do it, and apathy when it came to updating that made them put it off.

      For the second point they have said they will be updating the system within a few days. They should just need to modify amember to hash and salt the passwords.

      For point four Nettuts has already reposted a tutorial on hashed and salted passwords.

      And regarding compensation, the ideal thing to do from a PR point of view would be to let people get out all their anger now and offer up some free services later. I’d guess they’ll go for free Tuts+ subs or Marketplace credits.

    • Jamie

      I completely agree with you, If they don’t give out some form of genuine apology that’s not words I will never use an Envato product again. I understand hacking happened but plain text.. I don’t have the words to describe how annoyed I am.

  • http://www.austinfx.com Jason

    So, how do I change my password for Tuts + ?

    Any page I go to shows the spash page with the security update / warning.

    Thanks guys!

    -J

  • Andrew

    I’m actually unsubbing as a result of this. I just feel unsafe especially when money is involved. You never hear of this happening on other similar tutor sites. I’m off to lynda.

  • b

    I am appalled at this! How can this happen when you teach security measures? EPIC FAIL and I will not be associated with such amateurs.

  • http://overnightpost.co.uk sharpie

    Hi,

    I agree with the general sentiment here and I have to say that I don’t think it’s unreasonable that, when you come back online, there is some form of compensation for the existing members.

    I am trying to find a reason to continue my membership but believe me this is proving difficult.

  • Todd

    Can you tell us if our credit card numbers were also compromised?

    • http://envato.com Vahid Ta’eed

      Hi Todd – no, they were not. We use PayPal/Skrill/MoneyBookers and do not record credit card details.

    • http://twitter.com/twittem Edward McIntyre

      Although your PayPal email address is stored so if the password is the same make sure you change it.

  • Anon

    I use same pattern to ease remembering passwords on all sites, all the internet sites even a Domino’s delivery one needs registering, The best thing is at least follow a pattern to remember easily, and without any doubt I can say more than 60% of people will do the same..

    And I am registered on more than 200 sites, and Now I have to take the punishment of changing passwords on each and every site (or say most of them.. if I have to be sure of my security) just because of your Ignorance and Laziness!

    Mistake yours .. Punishment ours… Not a fair game!

    • http://dongilbert.net Don Gilbert

      I do the same thing – I use a pattern based password system that combines a common phrase I use but has high entropy, and then I customize it per website. Even though I was using independent passwords for every website, I potentially need to change them all now that the attackers have the pattern.

  • ian

    Well, I still have faith in you guys.

    For all the “duh, clear text passwords?” type comments, those people sound like the typical arrogant developer who thinks all their stuff is perfect.

    It’s a third party plugin which most likely had good reviews and was tested. You have to have some level of trust in third party plugins. I doubt everyone here complaining tears apart the code of third party plugins/modules/scripts re-writing them and looking for security flaws. If that was the case everyone would just write there own plugins.

    I see it as a lesson learned for Envato and for us members to double check the functionality of plugins and not assume the plugin is secure to use.

    I appreciate and respect that you guys notified everyone so quickly and put your reputation on the line for us rather than trying to cover it up or place blame elsewhere.

    • John M

      I’m sure it felt great dismissing the thousands of users here with genuine concerns as “arrogant”, but I think you have failed to understand the following:

      When dealing with user privacy and passwords, there should be no “trust” for third party plugins. It is Envato’s legal, moral, ethical and professional responsibility to at the very least take reasonable precautions to ensure the privacy of their users. Storing passwords in plaintext is a breach of the trust placed in them by all their users. It also goes against the best practices that they themselves preach. It is also potentially criminally negligent, but I am not an expert at such matters.

      The “security flaw” as you put it could be discovered simply by inspecting the users database, something that is likely part of routine maintenance on the site. It is downright infeasible that they would use such a plugin for any length of time without knowing the passwords were stored as plaintext, and they admit to this in their statement.

      Your attempt to defend them is admirable, but misguided and not deserved.

    • ian

      Actually John, I was only dismissing a few people. At the time of my comment, there were only about 300 comments and less than half of them were the type of comment I was speaking of. I would never dismiss genuine concerns but comments that resort to calling out someone’s mistake and calling them stupid or idiot, or the sarcastic “duh” and “wtf” and especially those comments dropping all those F-bombs, do no one any good. And usually when I hear someone say things like this, they are arrogant and don’t realize their own stupid mistakes like using the same password for your paypal or banking that you use for an online course. I could say “WTF? really? Idiot!” but what good does that do? I’ve been guilty of the angry post or even long drawn out rant full of name calling and discust before. I did it out of anger and wish I could go back and delete it and yes, I hope anyone that ever reads those comments immediately dismisses me because I deserve it.

      It wasn’t until reading later comments throughout the day that I realized Envato was aware of the issue a year ago but I still think a lot more thought went into it than what we are aware of. Surely, someone was thinking they would just do a real good job protecting the database until they could fix the issue with an upgrade or replacement of the plugin.

      In this case I agree about the trust of the plugin and it’s a lesson learned for Envato and a good lesson for the rest of us to learn from Envato’s mistake. The lesson being, be sure when dealing with user data to make sure a plugin is secure. As for “no trust” for plugins, I wonder how many other wordpress sites use the aMember plugin and how many web app developers use tankAuth, OAuth, or other third party modules/packages/plugins for their login systems and really don’t know if they are secure or not but trust them because a lot of people use them and no one has complained yet. It seems to me that frameworks and CMS systems actually encourage using these third party plugins.

    • ian

      yes I misspelled disgust and probably a few other words. :-)

  • http://about.me/atmd Andrew

    Wowzers, I don’t know what shocked me the most, the passwords being stored in plain text, or the amount of people who didn’t read the article as asked if the passwords were encrypted or how to log in and change there passwords.

    Don’t be outraged if your not going to bother to read the article!

  • http://pippinsplugins.com Pippin

    Before just flaying them (believe me, I think it’s inexcusable too), please read my comment above: http://marketblog.envato.com/general/tuts-premium-security/#comment-26156

  • Azulalnacer

    Sorry guys but I just cancel my subscription, I think is the only way to protect my interests. When I can trust you again maybe i will decide to subscribe.

  • Becky

    Clear text passwords? Oh wow. I’ll be taking advantage of the 30 day money back guarantee then – i’ve had my account less than a week.

  • John M

    Plaintext passwords? What were you thinking? You clearly weren’t. Such irresponsibility and apathy for the security and privacy of your paying customers is unspeakable.

    Not only that, but you’re still storing all my information when I haven’t been a paid member for years? Don’t data protection laws have rules about storing data that’s no longer relevant or necessary?

  • Pablo

    Storing passwords in plaintext is inexcusable. What’s more infuriating is that you admit to knowing about this problem, and seemingly chose to do nothing about it until a breach occurred. It shouldn’t have happened in the first place. Envato exposed its users and acted completely irresponsibly. I loved your service, but I’m afraid this is totally unforgivable. Envato, you’ve lost my trust. Honestly, why should I even consider coming back? I too, will be cancelling my subscription.

    FFS

  • Filip

    I want a refund but where can i get this? Where can i find the e-mail address to tuts+?

  • Chris

    Plain-text…? Really?
    With all the Tuts about security and web development you guys use a plugin that stores passwords in plain text…
    Unacceptable.

  • jghjhgjgh

    can’t remember what was the password I used here…………..
    And I would probably never now, since you changed all password……… good job

  • http://www.krsiak.cz/ Krsiak Daniel

    Envato could answer this as many ask

    “Were our credit card numbers compromised ?”

    but they will not
    just imagine how almost 1,737,122 member sue them at court ?

    so they will tell you “only” your emails and passwords got stolen
    :)

    when
    http://www.amember.com/p/

    is dumb enough to use plain text for this stuff why not even for bank account details :)

    • http://envato.com Vahid Ta’eed

      Hi Krisiak, I’ll try and respond to the original comment, but just in case I’ll also respond here. Envato uses PayPal / Skill/MoneyBookers and does not store Credit Card numbers. The Envato Marketplaces were not compromised. However, that said if you use the same password on different sites, including the Envato Marketplaces, then you should update your password immediately.

    • ian

      I believe only paypal has the actual credit card info. At least for the tutsplus subscription part.

  • Jinxed

    Now I know why there are no any relevant topics concerning security on nettuts.

  • jarod

    “Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)”

    Are you fucking serious?

    Even a fucking 12 years old kid knows that this is fucking bad.

    With all the team members you have and the money you’re supposed to make, security should be YOUR TOP FUCKING SECURITY.

    So instead of acquiring dumb services such as snipplr that don’t work anyway, invest a fucking 100$ on a security consultant that will tell you what you do is fucking bad.

    See… this is why people don’t like to signup on online service anymore; this is why people want everything for free with no signup nor just giving their e-mail.

    It is 100% because of guys like YOU who make such fucking decision (to use a dumb plugin that doens’t hash your password… fucking SERIOUSLY!!!! can’t you re-do the plugin and use encrypted passwords?).

    Not only this is fucking unacceptable for a regular dumb free app but for a paid membership this is totally fucked up.

    The worst part of this mess is that you guys KNEW you were storing cleartext passwords – it’s not even like you had a DDoS from some chinese IPs… it is 100% YOUR fault!

    This is also why user stop inserting CC details in marketplace or ecommerce sites directly…

    By doing such dumb things, you don’t only fuck your company up, you screw an entire ecosystem… because nobody is going to renew its membership after this and that’s thousands of people who may not use a password on sites that don’t have dumb SSL UV green bar.

    ######

    I hope someone is going to get its paypal account hacked because of you, that they’re gonna lose 100K$ and that they’ll sue you for your incompetence.

  • Jonathan

    Where the hell can I log in to update my password? every LOG IN url simply brings me to the page showing a link to this page. WTF?!

  • http://www.wdonline.com Jeremy McPeak

    Early this morning I received an email from ActiveDen with a password reset request. I did not request it. I’m curious now if my marketplace account was attempting to be compromised with information from my Tuts+ account.

    • Filip

      Hi Jeremy,

      How do i come in contact with tuts+?

    • http://tutsplus.com Jeffrey Way

      No – they did that as a precaution.

  • Envato Suck

    I’m NEVER using you guys again. Storing password as plain text is fucking stupid

  • discontent

    “Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted).” WTF why does this sentance feel like a sales pitch? Still humping that dream huh.”We are deeply and urgently committed to addressing this situation and ensuring that the damage caused by the attack is minimized as best as possible.” If you,re so deeply commited than why did’nt you fix the situation as soon as it was known. Oh yeah and how about refunding me back the money for my year long subcription, because I for one most sertanly did not sign up for the service of just handing out my information I could have done that myself for free though probably not as effective as you. F**k! see thats really difficult. This is like someone paying you to watch there house than knowingly leaving the front door wide open when you decide to go the bar every night. Whatever you suck and I’ll not be asking you to house-sit.

  • Ross McLoughlin

    What about the the other Envato websites? Were they compromised too? I’m a member of ThemeForest, with a separate set of login details.

    • http://envato.com Vahid Ta’eed

      Hi Ross, the marketplaces, including ThemeForest, were not compromised. However if you use the same password across different sites then you need to change your password immediately. Especially passwords for email accounts, PayPal or Skrill/Moneybooker accounts.

  • http:/www.bruuuce.com Si Twining

    Unencrypted passwords is unforgivable.

    I’m out.

  • Anonymous

    I haven’t been a member of tuts+ for ages now, not since back when it first launched.

    I know you were using amember, which I saw and then tried to use on a clients site, before realising it sucked and rolled my own. I’m surprised you stuck with it for so long.

    Coming out and telling everyone must have been extremely difficult (I thought the email I received might have been spam at first), and you’ll undoubtedly lose members and this will suck. But thank you for telling us honestly exactly what happened. A less reputable company may have tried to hide behind PR speak or if they were really shady just not tell anyone and deny it if it came up. So thank you for being honest.

    This was a mess up on envato’s part, but I’m sure you’ve heard enough of that from the other commenters and understand it yourselves, so no point in being a dick about it!

    Best of luck and I hope this doesn’t hurt your services for too long!

  • Raffi S

    Yeah, it sucks. But I mean «cleartext»? Guys, c’mon!

  • Mist

    Seriously – clear text passwords? You knew about this, and you had a “plan” to update? There shouldn’t have been a “plan” – you should have corrected this the moment you discovered it, even if you had to pull an all-nighter or work over the weekend. This is the sort of thing that required an IMMEDIATE update, an IMMEDIATE fix.

    By the way – third party my rear end. Once you implemented the software, you took responsibility for it. You should have checked. When it comes to storing sensitive data, that should have been the first thing that was checked and then double-checked.

    My god. An internal “plan” in progress to fix it. Your PLAN should have been to take the site down the moment you realized there was such a dire error in place. You were probably trying to fix it in a way where you could save face and then dragged your feet about it. What total crap.

  • http://mdnw.net Brandon Jones

    This happens all the time nowadays… yes, storing unencrypted passwords was a major oversight… but these sorts of attacks are becoming somewhat synonymous with small companies making it to the bigtime.

    Maybe I’m jaded, but I’ve always just taken it for granted that anything that needs to be protected online requires some pro-active steps on my own part (changing passwords regularly using generators, not using the same passwords on different sites, etc.).

    So yeah, this sucks for Tuts+ even if it is their fault for not being on top of this. And yes, it’s tragic that this happened on a site that actually hosts some darned good security tutorials. There are certainly steps that users can take, but that should need to be the case… take them anyways.

    • Kieran

      Oh it happens all the time, I guess that makes it okay then. Silly us for getting all upset at this poor site for storing our data in plain text because like you say, it happens all the time.

      You know what else happens ‘all the time’? Car crashes, maybe we should all stop wearing our seatbelts because it happens all the time anyway, might as well fuck any safety we do have.

      There is no sympathy due here, Envato knew of the problem and did nothing (saying and doing are 2 very different things). They have also been vague on this ‘third party plugin’ they’re using…It can’t be aMember because they DO NOT store passwords in plain text (See here for proof: http://www.amember.com/forum/threads/password-on-resend-sign-up-info-is-encrypted.14218/ ).

      Envato have completely fucked their users here, nothing they can say or do will fix the hoards of members jumping ship and the amount of bad PR they’ll get from this (thus deterring new members) will be huge.

      Stop trying to pass the buck to the users to be more ‘proactive’ in using different passwords, you don’t tell a rape victim to dress differently. We’re the victims here, Envato have got off. If this were in the EU Envato would have been taken to court over storing passwords plainly. IT’S COMMON SENSE!

      All trust and respect I had for Envato and their Tutsplus brand have completely gone.

    • http://mdnw.net Brandon Jones

      I should also note that the response that Envato has had is actually what reassures me the most… lots of companies “him and haw” about the details when this sort of stuff happens… the fact that Envato has been entirely transparent about it actually makes me feel a bit better about the entire situation.

      I should also note that I realize that there is a level of separation here if it’s software that Tuts+ was using and not something dev’ed directly by them… which is a reminder to pretty much all of us that we’re really only as secure as the weakest “link” that we leave out there on the net (no pun intended).

    • matt

      Yes, They made a mistake in not taking care of this a long time ago.

      Does that mean that the information they provide is now going to be invalid? No.

      Sucks but, in the end.. We are still breathing.

    • Mark Simpson

      > the fact that Envato has been entirely transparent about it actually makes me feel a bit better about the entire situation.

      Seriously?

      They get hacked, then don’t mention the vulnerable plugin to help everyone else in the community. That’s the reverse of transparency, and it’s terribly selfish. I count that worse than storing passwords in plaintext.

    • jarod

      Dude… wtf are you talking about?

      Even LinkedIn, a publicly traded company, informed their users about a security breach.

    • http://pippinsplugins.com Pippin

      They haven’t officially said the name, but I can tell you the plugin is Amember.

  • Michael Dixon

    I am a bit disappointed to hear that the data was stored in cleartext. Thankfully I am paranoid and use at least 4 different passwords all the time. It becomes a bother sometimes but it allows me to sleep soundly at night, knowing that it will be harder for a crook to steal critical info.

  • Et

    oh no

  • Blake

    aMember v4 doesn’t store passwords as plaintext anymore, why wasn’t the current version upgraded when aMember v4 was released?

    As soon as aMember v4 was released, I made my sites and client’s sites using aMember was updated with the newest version, I even persuaded the older uses of aMember to purchase the upgrade for those who don’t have it.

    I am disappointed that this came to this after a secure version of aMember was released.

  • http://jamesoakley.com James Oakley

    Come on everyone. YES, envato made a HUGE mistake by continuing to use a system that utilize plaintext passwords but you too are to blame if you don’t use unique password. You can’t bitch about Envato not using secure techniques while you yourself don’t do the same.

    This is not an excuse to envato, they did a terrible thing. It’s not that complicated to modify any system that uses plaintext passwords to use encrypted passwords. But at the same time, if you didn’t relay on third parties (i.e. Envato) to protect your “master” password, you would not be so pissed off! STOP USING THE SAME PASSWORD!!!!

  • Dont want to write

    Thats OK. Now put out a HUGE “Delete my account forever” button too when the system goes back. thx.

  • chris

    How do I unsubscribe? I would like to start over with a new account and dump the one I have.

    Thanks

  • Steve

    I’m sorry Pippin, i’m not buying that. If it is such a headache to fix the problem, can you explain why tuts+ expects to be back in 48 hours and i’d presume with the issue fixed?

    They could have closed the site at anytime in the past for 48 hours, i’m sure that would have been acceptable to the members, to fix such a serious issue. Instead, they waited and hoped that the passwords would not be compromised until they got around to fixing the issue.

    So please spare me your excuses, there are none on this occasion that can justify this, it’s a blatant disregard for the security of the site’s members.

    • http://pippinsplugins.com Pippin

      Hey, I don’t work with or am affiliated with Envato in any way, but I do understand the situation. Also, don’t forget how large Envato’s dev team is. If they needed to, they could build an entire system from scratch in 48 hours (which is probably what they should have done anyhow).

  • http://www.clamnuts.com Bobby

    Where do I actually change my details? The breach is bad but not providing a link to login is worse!

  • Aakash

    This wasn’t expected from a Resource like Envato. Clearly. attackers looked for details to exploit on other stuff like Paypal.

  • Kieran

    This is an absolute joke – I’ve cancelled my subscription and set a dispute up with Paypal to get my latest 2 payments refunded (they were only taken by Envato 2 days ago).

    You’re a complete bunch of idiots to let this happen….Plain text….I’m actually speechless.

  • Anil

    I’m at a loss of words. I don’t understand how a company whose prime mission is to educate the community on how to do things properly, messes up on something that is common knowledge to any proficient site owner. In addition, I’m willing to bet that our passwords have been stored in cleartext from the day your site launched, because no one in their right mind would think it would say “Hey, let’s stop using this secure way of storing passwords and store them in cleartext”.

    And by the way, perhaps you should take down this article, it’s not helping your cause:

    http://net.tutsplus.com/tutorials/tools-and-tips/can-you-hack-your-own-site-a-look-at-some-essential-security-considerations/

    Seriously, this is very upsetting, as I looked to you guys to be a trusting and reliable source of knowledge. :(

  • Mihkel

    So guys, 19.99$ a year would be a very nice “We are so sorry” card.

  • Dan

    It’s amazing how many people on here think their passwords and personal details will ever truly be safe. Really? Envato should have planned better and cut off this storm sooner; but securing digital information in a highly intelligent hacker world is kind of like trying to nuclear-bomb-proof your house when the bomb is in the air. Good luck Envato; make it better in the future and act more quickly.

  • TScott

    Dear Envato,

    Thanks for letting me know this awful situation.

    I would like to know, what my password was?

    I’m trying to change my passwords in Paypal etc… But I don’t remember the answers on my secret questions, to be able to change my passwords… I can’t call the help desk department because ‘working time is over?’… Need to wait for another whole day/night..

    I’m really stressed now…

    Still… I love your tutorials, they keep me inspired, especially the ones of Jeffrey Way.

    Kind regards,

    Timothy

  • http://www.terrorbullgames.co.uk Andrew

    No excuse whatsoever for ever *ever* storing passwords as plaintext. Even hashed passwords are shoddy practice these days. And to come from a company I looked to as an authority on best practice for these matters …

    Plus you admit you were fully aware of the problem (good) and yet you didn’t do anything. That’s both arrogant and careless and smacks of huge disregard for your PAYING customers.

    Cancelling my membership immediately.

  • joshuabrowns

    “Tuts+ Premium is the only Envato service that operates with cleartext passwords, and it was a known internal issue for us, with a plan currently in progress to upgrade away from the current plugin.”

    That is extremely pathetic.

  • notta

    It blows my mind the questions that are being asked. Did you guys read the article above?

    I was trying to be cool about this, but this is totally unacceptable. I’m supposed to be working, but I’ve spent my entire morning running around changing passwords. I have work that needs to be done, but no I’m spending time do this.

    People are saying it’s not Envato’s fault. Well whose fault is it then? When you run a business and start taking people’s credit card numbers you are now held liable. People want to make money, but they don’t want the responsibility that comes along with it. This has been a major inconvenience for me.

  • ClusterFucker

    I blame myself firstly.

    It is my fault that I’ve used the same username and password combo everywhere even thought I know I’m not supposed to.

    It is my fault I trusted a website that talks about security but doesn’t practice it.

    It is my fault that I never took the time to protect myself.

    However, you should definitely refund every dime anyone has ever spent on this site. This is unacceptable that you not only knew about the issue, but neglected to do anything about it.

    You should brace yourselves to a class action lawsuit.

  • http://omarabid.com Abid Omar

    I’ll get over the negative comments here, and not because I’m an author, writer and a good % of my income is from Envato.

    It’s time to realize that we need quality products. It’s not Envato mistake, but it’s Envato responsibility. I’m sure that a large chunk (or let’s say a huge chunk) of products in CodeCanyon and ThemeForest are not secure or have security issues.

    It’s time Envato look at this particular point. For example, the Marketplaces doesn’t use HTTPS which is a MUST-HAVE. Some sellers did mention it a months ago, but still Envato is not doing it.

    It’s high-time Envato takes care of this stuff. I understand that security is expensive and an unnecessary overhead when you start. But now that you run a company with millions of users, you must have it.

  • Gabor

    Hi!
    I joined Tuts+ just recently by subscribing for the one-year-long Premium Membership.

    Yes, I’m disappointed as well as most of you guys, but I think that as a community we should be constructive and thinking about the possible solutions and not to throw mud on our tutors who are really professional in what they are doing.

    I’m in the middle of studying Jeffrey’s, Ben Gribbin’s and Jeremy PcPeak’s courses and I really enjoy them and looking forward to continue with my studies here.

    I changed my passwords, did the best I could but I don’t want to join the crowd of loud Jim Crows. Lynching and destruction is a dark pleasure but we are supposed to be web developers. Builders. People of development who extract pleasure from creation.

    And those miserable thieves who are trying to steal money from students… it’s a well known fact in many cultures… they will all perish very soon.

  • anthonyc

    This isn’t isolated to the TUTS Plus site. I’ve seen suspicious behavior from my themeforest account trying to “re-bill” me for the same identical amount ..after I had deposited money on there previously.

    • http://pippinsplugins.com Pippin

      It IS isolated, but if you are using the same password on both, then the hackers could have access to your marketplace account.

  • Richie

    Goshh

  • weathered83

    Hi I can’t remember my password. Can the psd tuts admin send my password to my email address please?

  • http://No Adam S

    Won’t be renewing ever because of this. You store passwords in clear text? When has that ever been alright for a site that accepts financial transactions? This isn’t your mother’s blog. For those of you that dont know much about coding, the first thing they teach you when accepting passwords is how to encrypt them unless you’re learning from a baboon. But because of your infompetence, now my passwords for other sites are compromised as well? You guys are really over your heads here at tuts plus and it’s partially why even though your content is diverse, you’ll never compete with the bigger giants like lynda.com.

  • John Boyed

    Vote for more security tutorials

  • http://mymodernweb.com Jason Dittmer

    I agree that storing passwords in plain text is absolutely stupid and Envato really screwed up.

    However, if anyone of you reading this are using the same password on multiple sites then you need to ask yourself if you are following “best practices”.

    Get a password generator and use something like 1Password or this won’t be the last time you have to deal with this.

  • Aaran

    Looking forward to the net+ tut on how to store passwords securely, eg, Salts, md5, SHA1 ..

    This it crazy to me and who ever coded this 3rd party should be shot, I’m no expert on security but I know even a md5 is better, even with rainbow tables out there.

    • Anon.

      Don’t use MD5/SHA1 and ‘salts’ to store passwords. Use a KDF like PBKDF2 or bcrypt.

  • Pingback: Zamtech » The Envato Market Place Hacked()

  • Akram Abbas

    We’re with you! :)

    Take your time… We all know websites are never completely secured :) so give your best.

    Thanks,
    Akram ( Pakistan )

  • Andre Silva

    Sad to know that a service like this stores user’s passwords as plain text. Very disappointed. No matter what external service you use, this is extremely serious and totally preventable.

  • Facepalm

    I’m not a developer, and even *I* know passwords shouldn’t be stored in cleartext, and why. You say you knew this was an issue. A thirteen-year-old could figure that out these days. So frustrating. Thank you for bringing this to our attention so quickly though.

  • mxl

    I’m a premium member, have been even tho since the old site and lately I’ve been wondering if Envato only cares about taking our money, we have begged and begged them to allow s to be able to download video tutorials in one, we have begged to be able to download psdtuts tutorial for viewing offline like old sites but they have ignored us, it seems they care more about sales than looking after current members….now this issue of security breach through a careless attitude of theirs towards their members has clearly shown…ENVATO DOESN’T CARE ABOUT MEMBERS.

    As talented and rich as the company is, you should not even be using “free plugin” that has a big security hole as the one that got exploited, you even knew about it before hand but never thought about changing it, all the efforts you make into promoting your other market places, graphic river etc just points to one thing…you only care about Sales.

    Are we going to get compensated? Nobody wants their money back you should at least give us 2 premium tutorials every week for a month or so, just ask sony what they did for us, that’s just a small compensation for your premium members.

  • http://ferus.info Maciej

    I am really disappointed to hear, that site like yours, developers like yours who teach us to develop our application safely made that mistake. First lesson that Jeffray Way taught me was to never store non-encrypted passwords in the database.
    Really, that is sad. I am looking forward for better security. I am still convinced to use your systems – but now i just will be more aware of security.

  • Gochoo Gomboo

    It’s sucks. I just have my paypal being used by someone else. I need to contact my bank and solve those problems. Envato! You made me a lot of trouble to deal with.

    This is horrible, especially like Envato. I had all my hope with you

  • Michael Fouquette

    I. Am. Crushed. Baffled. Disheartened.

  • Pingback: Verelo.com Blog | Tuts+ Premium Down After Security Breach()

  • Bruceton Aisher

    What the heck envato? Storing passwords as clear text because you are too busy rinsing your customers of their hard earned cash. I know you say it was a ‘work in progress’ – but it’s really not that hard to encrypt passwords. I think you are just too lazy. I will not be recommending your services to people in the future.

  • b

    Who would be the best contact for my lawyer to talk with about this security breach? You have not only cost many time in changing passwords but also may have an issue with my bank account being accessed to to this.

    • ClusterFucker

      Time for class action…I see a good 200 people alone in this blog that are eligible.

    • bsmitty brennan

      hey guys we got an internet tough guy here!

    • http://jobsbayarea.net Joseph

      Ok relax there. Yes, they made a huge mistake and they are going to lose a lot of money. Some people are going to lose their jobs from this incident and some might lose their jobs because people are leaving the site.

      You don’t need to make matters worse.

    • http://philmorrow.co.uk Phil Morrow

      Better do what the dog says, he looks pretty serious.

      Unless you used the same password for TUTS+ and your email account, and then stored all your bank details in your email inbox – your money is safe. All payments are handled off-site, and always have been.

  • http://imyjimmy.com Jimmy Zhang

    Not cool, guys. Not cool. Let’s just fix it and get it over with.

  • http://www.krsiak.cz/ Krsiak Daniel

    I just like one thing here:

    attacks on high tech savvy sites in the last time
    Gmail
    Linkedin
    Tuts+

    … and several more.

    I seriously think about quitting any web design I do.
    Stop using internet and just go work as lumberjack in Canada.

    Still will be safer up there :D

    • http://www.krsiak.cz/ Krsiak Daniel

      but I am having fun

      I am just waitting when my hard earned money will go AWOL

      my gmail got hacked 2x
      linkedin 1x
      no Tuts+ … real fun this year :)

      and I am using 20+ character passwords, with letters, numbers and several special characters

      so I wonder and fell sorry about all the ordinary users

    • http://twitter.com/twittem Edward McIntyre

      Pffttt… I’m a Canadian that dresses like a lumberjack and does web design. You really can have the best of both worlds.

    • doru

      but what about grizzly bears?

  • c

    LOOOOOOOOOOL!!!!

  • Lars Steen

    According to a comment on Reddit (http://www.reddit.com/r/PHP/comments/vmo5z/envatos_tuts_website_hacked_emails_plainttext/c55uijz) they knew about this since late june 2011.

    Wtf?

    • Lars Steen

      No approval?

  • Dan Peters

    So this happens to be the month I sign up for Tuts+ Premium. Nice.

  • Steve

    The hacking of emails and passwords is getting a bit ridiculous now and not just in this particular case. It’s just one of those things that we all have deal with at the moment.

    It’s impractical for most users to use a different password for everything they signed up to, but that would help when systems get hacked.

    Maybe it’s time for the browser manufacturers to step up to the plate and somehow automatically ensure that every site you sign up to uses a unique password for that site. Possibly hard to implement though, especially for multiple devices.

    Or maybe the users should just take more responsibility themselves and make sure they use a different password per site. Generally, if you forget a password you can just get a reset.

    Obviously the websites themselves should be more aware about their security but, as users, there MUST be something that can be done to stop us having to change all our passwords every time an unfortunate unsecure site gets hacked. Any takers?

    • Bill

      Using LastPass or a similar service creates exactly this functionality.

  • no more trust left

    You guys should read your own articles, http://net.tutsplus.com/tutorials/tools-and-tips/can-you-hack-your-own-site-a-look-at-some-essential-security-considerations/

    How does this happen and do you know that you will be losing a huge percentage of you r users due to laziness?

    You guys are F’d and you will be hearing from my lawyer.

  • Don

    @Envato:
    Real bonehead maneuver on your part but at least the CEO is stepping into the line of fire and accepting the blame. You don’t see that too much anymore. That’s not to excuse his company from the inaction on their part that resulted in this breach and will probably cause me to unsubscribe.

    @ Everyone whining about having to change passwords:
    It’s just as bad for YOU to use the same password for various sites as it is for them to be saving them in clear text, so do what Collis has done and take a bite of the irresponsible sandwich.

    • http://pippinsplugins.com Pippin

      Well said sir.

  • rene

    now would be a good time to switch to facebook authentication

  • http://www.creativedojo.net VinhSon Nguyen

    Very disappointing indeed, luckily I recently changed all my passwords to unique ones per site. I’d highly recommend everyone who hasn’t already to move to a more secure password routine.

    In the meantime, I am very interested to see where things will move forward from here. I am very disappointed in hearing people leaving the Envato sites because of this incident. The content and information on the Tuts+ sites are still very valuable and has nothing to do with this incident.

    • ian

      Hey VinhSon,

      I agree, we should all be using a more secure password routine.

      As far as the content on Tuts+, I’m just waiting for the issue to be resolved so I can go to the next lesson. And I still want them to do a lesson on securing wordpress and the server :-) I won’t write them off due to one incident that could have happened to anyone.

    • https://twitter.com/#!/cuorealmeazza Cuorealmeazza

      This error can happen to anyone here not many people remember this is handled by humans not by machines. If you think that is a big mistake what happened to Envato I think is also a BIG mistake to have the same password for many of the services we use online. It’s a great neglect what has happened to this team but that does not make clear the high regard I have with them two weeks ago I am a new member of Tuts + Premium and I have learned more than three months in college. Surely after that they will learn and provide greater security in their portals. FORZA ENVATO !

    • Shane Osbourne

      I agree. I’m not going to un-subscribe because of this – I just hope they can improve their security ASAP. :)

    • Michiel

      I agree. Tutsplus still is an excellent source for learning webdev and i hope that this incident will not be the downfall of it. On the other hand maybe its better that the instructors of tutsplus go seek another employer. One that checks a plugin for security and doesn’t wait when a security issue is located..

  • Josh

    I couldn’t believe my eyes. Cleartext?! From Envato? I expected better. I’ve closed my tuts+ premium account. If my privacy is not your priority, then I’ll learn elsewhere.

    Thanks for having the decency to let your users know of the breach.

    It’s cliche, but practice what you preach!

  • Yashi

    Hi Jeffrey and Collis,

    I think this is not a big deal; we can change our password in anywhere. I know you guys are working hard for this matter. I appreciate that (thumbs up), I heard some guys talking about envato using amember software package. I think it’s better to move to the WHMCS for the payment process because; it’s the most perfect solution for you guys. And collis thank you for once again to remind me about this situation, and Jeffrey, you are the best tutor in this type of e-learning class, I ever met. I learn more about jquery and now PHP too, thank you for your hard work… (Thumbs up)

  • http://codefusionlab.com CodeFusion

    When I first got the email, I’m like, no big deal – its Envato – they surly would have salted the passwords, hell they probably added pepper, mayo, and relish as well.

    Plain Text? You screwed us Envato!

    I hope Tuts+ dissolves itself into Nettuts – as a resonating reminder of what stupidity costs. Besides, the free tuts where often better than the paid tuts.

    • http://www.leihai.com/ Stephen Curtis

      The free tuts were good for keeping up on new stuff, but when it came to training new staff, nothing online can beat the courses on the paid site.

    • http://codefusionlab.com CodeFusion

      For a veteran – it is of little value – in fact – it is now a liability.

    • Andrew

      In all fairness, I find the tuts premium to be somewhat lacking compared to other sites. E.g. HTML5 tutorial is very basic, there is still no sign of a proper OOP/design pattern PHP based tutorial, no tutorials on python,no training on a proper mvc framework yet, no training on version control etc etc. only now they have added a proper training regimen on javascript. It must have really sucked to be a member before these few tutorials showed up.

    • http://www.thaerigen.net Kiki

      @Andrew: You don’t seem to realise that the variety of subject matters appeals to people from different creative backgrounds an with different interests. Speaking for me, I don’t do programming and thus am not very much interested (yet) in Python tutorials, or any tutorials on audio or 3D for that matter. I am an illustrator and graphic designer, not a coder and the site’s content was and is very good in this regard and has never sucked. Otherwise I wouldn’t have subscribed.

      As for the breach of security: yes, it was unfortunate, if not downright stupid to not encrypt and salt the password data. But while venting and cussing and salting your language and screaming for a class action suit and the CEO’s head on a stick might feel good for a moment, it doesn’t do anything to solve the larger issue at hand.

      He who is perfect cast the first stone. If people weren’t lazy and didn’t use the same password and email combination on every site they registered with, they wouldn’t have to spend hours to change it now. How often do you change passwords anyways? Once a week? Once a month? Once in a blue moon?

      And yes, while password storage software solutions with autogenerating password features like lastpassword or 1Password are great, they only transfer the problem to us: what do we do when (not if) our harddisc crashes and we have no backup of the software’s data?

      Yes, there’s The Cloud for backup. Well, what if Dropbox sees fit to shut our accounts down for any real or suspected breach of their TOS and your backup files are lost or inacessible? Do you remember all your autogenerated passcodes?

      Many of us here are freelancers who have to safeguard client data. Do you encrypt their importantant project files and burn them to a DVD that you do store in another building? In addition to storing them in the cloud or on another harddrive or USB stick?

      We know what best practises look like only in theory, because they aren’t best practises. They are a royal pain, timeconsuming, expensive and not perfect. Thus, we don’t use them, because man is a lazy creature of habit.

      Vent all you want, cry foul and take envato to court if you have the time, money and energy and if it makes you feel better. Or accept that nobody is perfect and sh*t does happen and step up your own game.

  • http://launchmeweb.com Steve Barman

    That sucks that everyone’s info was compromised, it would be less of a suck if I could get access to the tutorials for the time being.

  • Vincenzo

    Just pathetic. I’m going to go ahead and venture a guess that the membership provider’s databases were breached through the use of SQL injection as well.

  • Darryl

    Would you care to share “exactly” what information was stored in your database please, and please tell your customers what your are doing to prevent this from ever happening again?

    I find it worrying that despite your repeated comments that all attempts are being made to restore the service, you haven’t mentioned any attempt to improve your security?

  • TheTutorialsAreStillGood

    Lots of commenters seem to be conflating knowledge with action.

    Knowing the right thing and doing the right thing aren’t always the same.
    Violating best practices in password storage doesn’t mean that your tutorials are inaccurate when they lay out best practices.

    Your tutorials are still great, and are the reason I’ve been considering subscribing. This breach barely affects that consideration, especially since payment information is managed by Paypal & Moneybookers/Skrill.

    I have a unique password for nettuts, so while this is a failure on envato’s part, it really isn’t something that affects me negatively.

    I’ll just generate a new password when the time comes, and be on my way.

    • Filip

      But if they got your email address and date of birth they will have access to you skrill / moneybookers account. No email confirmation needed, they just change the password on the site.

  • KARTHIK

    VERY SAD !!!!!!!!!!
    you people are good . there are lots of subscriber trust you.
    happy for you recover replied tell the story .security is compromised not a problem ,but the data you stored in a plain text …………..this is ridiculous you guys operate a chain of websites you.
    plz back to work asap.

  • no more trust left

    love the related posts to this articel:

    Related Posts
    Devastating Weather – Has It Affected You?

    YES

  • Mark

    First time I’m hearing about a “plugin” to store passwords.

  • Derek Johnson

    Could you at least extend the courtesy of allowing us to confirm our password? Is that not the least you could do? Do we really need to run around, changing all of our passwords, because you fucked up and decided to just shut your doors?

  • It’s ME

    First of all .. my comment ist NOT an excuse for ENVATO!

    It’s a big mistake what happend .. BUT it happens everywhere .. Even the government is not 100% protected against hacking.

    The users have to learn a lot more about the security on WEB. There is no security at all … But even then users should really learn a lot more about.

    And they have to start to realize , that hacking and cracking are no JOKES ! .. It is INTERNET and not your SWEET HOME … there is no security but YOU !

    The user is the key .. The user is his one and only security.
    Most of the users have the same username/password for all web registrations and services .. This is their real problem.

    There are so many FREE E-MAIL SERVICE web sites on the web. Such as Yahoo, GMX, gmail etc. to name a few.. So why always using the same e-mailaddress over and over again ???? And why using the private and important e-mail for all of that ???

    I think, this is the bigger mistake !

    respectfully
    Me !

    btw, I have 26 different E-Mailaddresses .. ;o)
    And I KNOW it sounds crazy .. But now YOU know WHY !

  • http://zackarycorbett.com/ Zackary Corbett

    So a website that’s all about best practices stores passwords in plaintext. Well, there goes my next three hours, changing passwords just to be safe. Thanks guys.

    In related news, I feel like storing passwords (or other critical information) in plaintext should be a sueable offense.

  • BrandGuy

    Wow the irony… just wow.

    I literally just renewed my premium membership last night at around midnight EST and it was solely to support Envato because I appreciate the service they provide and feel they do it well. I have really no interest in the premium tuts as the free service is really fairly comprehensive without it–but I do believe in supporting a service I use and appreciate. I have always considered Envato to be the authority on so many subjects–therein the reason for my support–but this sheds an entirely new light on their methods and practices. I can only imagine that they’d have no members at all if they divulged their security practices on the sign-up screen. Obviously their focus is not on supporting and protecting the members that support them–support that allows the company to exist at all. I’m honestly shocked and appalled. Possibly it’s time for the contributing development staff to review some of their own tips and tutorials?

    Really frustrating. Really inexcusable. Really bad business.

    While I appreciate that you stepped up at all (albeit after the fact when you could no longer avoid the large white elephant in the room), the phrase “too little, too late” comes to mind. I would get ready for the backlash… I can’t imagine it will be pretty. I would just cross your fingers that there are no financial incidents that arise due to, what can only be called, complete lack of care or incompetence (I can’t decide which is worse).

    Again, wow.

  • Terry

    Plain text? I don’t care how sorry you are, _unacceptable_.

    I’ve been with Rails for a month and even I know better than that.

    I’d rather not operate my site than put so many people at risk. How irresponsible.

    I’ve been seriously considering an account with Tuts+, but after this, you can forget it.

    Shame on you.

  • Spyros

    Plain-text passwords? Really? Not cool at all. I expected a little more respect towards your customers.

    At least you could have told us beforehand that you store the passwords in plain-text; that way we’d never used on Tuts+ the same password we use on other services.

    You screwed as- simply put.

    God knows in how many websites I had to change my password.

  • Meshach

    Sounds like you need to fire your “developers”.

    With that said props to the teachers at Tuts+ it wasn’t their fault that the site got hacked.

    Overall it was a big, big screw-up and I’m having a hard time understanding why you guys didn’t develop your own custom CMS for Tuts+ following strict security standards for user data.

  • David Wilder

    I think the perfect irony of this “PROBLEM” is the lack of legal exposure a company like Envato actually experiences in knowingly maintaining a commercial website that is vulnerable to the most basic of hacks.

    Sure, in the short term this notice guarantees that a few folks will not renew — but downstream WE are the ones who will pay. I think something more than a simple “I’m sorry, sh@t happens” is in order. AND that would be renumeration for the risky situation you’ve placed us in.

    BUT MOST IMPORTANTLY — Perhaps you should also explain why you are not offering “free” access to those compromised and the creation of a legal fund to manage financial losses we may suffer by virtue of this ridiculous oversight in your security protocols.

  • kieron

    Wow

    nincompoopery of the highest order guys and girls.

    It comes across like youve got no respect for your subscribers

    leaving our personal info open like like.

    I hope this isn’t the case.

    I have been enjoying my time on here so far.

    Thats a shame but everybody makes mistakes.

    Kieron

  • http://oneclicktechgroup.com Matt Bernard

    Just wanted to say thanks for scheduling out my afternoon making password changes to all of my accounts because of your negligence and carelessness with my personally identifiable credentials.

  • adam

    this really is just unforgivable. You provide a service which takes customers private information and credit card numbers and you don’t even check how the passwords are stored. ridiculous. I thought you people cared about your customer base. as we can see that is all bull

  • Joren

    Just bought 1password.
    You own me 50 bucks…

  • Matthew

    I’m so disappointed… will you even make it up to the paid members?

  • b mitnik

    can you email the password that was compromised so that i know which passwords need to be changed on other sites?

  • http://www.mimosaciti.com Samad Khan

    Ops! :|

  • Preston Davis

    I hate t add fuel to the (justified) fire, but I just read from a post that indicates you were made aware of this problem A YEAR AGO!!???!!!

    “Thanks for reporting the issue of plain text passwords to us. It’s how passwords are handled with the membership software we use for Tuts+ Premium, which isn’t extremely well coded and something we want to rebuild from scratch. In the mean-time our dev team will be hacking the software to bring password security up to the best practices we advocate on our Tuts+ sites, like Nettuts+.” – June 29, 2011

    ref: http://www.reddit.com/r/PHP/comments/vmo5z/envatos_tuts_website_hacked_emails_plainttext/

    If this is true….

    • Skape7

      If this is true, they should give all premium members their money back. This is inexcusable.

      I found their premium content valuable, but they owe it to us to refund us or at the very minimum, discount something. This is absurd. They were aware of this glaring security issue but did NOTHING?

  • CodeJ

    Hey everybody…. Why don’t you relax a little ?? First of all it’s your mistake to have the same password on multiple sites. This things can happen and as mentioned before it was a security flaw from the amember plugin, so before starting to throw your poison to evanto please consider how many things you have learned from their tutorials ( paid and free).

    These things can happen to any of us. Just saying how much they suck is really easy , but really ,are all of your web apps secure?

    All I am saying is that criticism is good , but not now that they are having a bad time…. Criticize when someone is at his tops..

  • http://sergeylukin.com Sergey

    Of course it’s a pity that it happened and that it wasn’t fix at time, but, common, all of us do mistakes like that and some huge websites still keep plain text passwords (not that I like that, it’s just a fact) and even after they were compromised already.
    I’m pretty sure that Envato will (if not already) fix this and other vulnerabilities.
    I will definitely continue following Envato’s tuts and courses and am going to continue being an active customer for their premium content.

  • http://gnarmedia.com adam murphy

    plain text, really guys? more than 3 years ago i managed a customer website with less than half the size of this one with a 10th the staff, we hashed and salted all passwords, seriously, this is unacceptable…

    i don’t know what to say…

  • Freaky

    Be good. Why hacking good site ?. Why not hacking bad site :). Like politics sites and so on :D…

    Hope you’ll fix it !

  • Rog

    PLAIN TEXT OMG!!! I’m on android… have to reinstall my hole f**king phone for a password reset… Thank you NutsTuts!

    Want my $ 20 back….

  • Joe Dinsdale

    This is really disappointing news especially considering I only joined yesterday.

    • Josh

      ouch!

  • Adrian

    … And for those who signed up a while back and didn’t decide to pay, how do we know what our passwords were? I have never logged in to the premium but I tried to sign up a few years back.

    The best thing you can do now is help those who have been affected, so I shall be expecting along with all the others in my situation an email with a HASHED version of my old password so I can work out what it was (preferably MD5 so I can check it via command line). Pretty shameful for a best practices website in web dev.

    It should be illegal to store un-hashed passwords, I now have no idea what other accounts could be compromised by this as I can’t find out what password I used.

  • http://www.sooran.com Erfan

    Ouch! Good luck … These things suck.

  • http://podemski.info kpodemski

    I do not remember what password I use here … What should I do?

    • Seth

      Ask the hackers. They have it in plain text.

    • http://pixelb.in Alex Pascal

      Seth, you win, sir.

    • http://podemski.info kpodemski

      Seth +1…

    • Peter

      hahahah good one

    • http://www.iuditg.com Udit Goenka

      @Seth Epic !!

    • http://podemski.info kpodemski

      I checked the saved passwords in Chrome. Well, I had password as much fun as this situation. Fortunately…

    • notta

      @seth, that was a good one.

    • http://barbarianmeetscoding.com vintharas

      hahahahaha that was awesome xD

    • Diego

      hahahahahahaha

    • Jay

      Collis said there’s a link to change it. Get over it everyone.

    • onyx

      @seth that was funny, LOL

    • http://www.hacksoft.com.pe/ TheHack3r

      @kpodemski
      New FAQ to be added within Envato
      @Seth
      Excellent… Got a good laugh from your response mate… (“,

  • Jared

    Cleartext… not cool. I already got a login attempt which Gmail shut down from some IP in Turkey. If they would have gotten in my email that would have been really messy.

    Makes you think that if a company that teaches you how to make and secure websites can implement such faulty infrastructure, who else is toying with sensitive account data?

    Moral of the story, PRACTICE WHAT YOU PREACH!

  • RCI

    Sorry to beat a dead site…uh, horse, but this is unacceptable and beyond disappointing.

    Good luck earning back that trust…

    • Jay

      They’ve earnt it back with me already. I guess your good lucked worked like a charm ;)

  • https://twitter.com/#!/cuorealmeazza Cuorealmeazza

    This error can happen to anyone here not many people remember this is handled by humans not by machines. If you think that is a big mistake what happened to Envato I think is also a BIG mistake to have the same password for many of the services we use online. It’s a great neglect what has happened to this team but that does not make clear the high regard I have with them two weeks ago I am a new member of Tuts + Premium and I have learned more than three months in college. Surely after that they will learn and provide greater security in their portals. FORZA ENVATO !

    • Josh

      It’s not like it was a careless mistake. They’ve known about the passwords being stored as plain text since June 2011… I like Envato too, but this is unacceptable.

  • Pingback: Password security - a timely reminder from another major site breachanthonykennedy.com()

  • Shane Osbourne

    I’m just sat here shaking my head in disbelief! I’m sure the Dev’s involved feel a little embarrassed about this, but it doesn’t help us people who’ve had our personal info compromised. :(

    Not something you expect from such an established company.

  • http://www.YourABunchOfLosers.com Adam

    Simply amazing and inexcusable. I didn’t realize we were paying to be shown exactly what NOT to do by example.

    I will be closing ALL envato related accounts.

    What a hack operation….

  • http://www.anywhere.com Freddy

    It would be VERY interesting to know what other personal data beside email and password that got leaked …

    … Anyone from Envato that can tell us?

    • Filip

      Yes, especially because everything you need to change the password on moneybookers / skrill is the email and the date of birth! Then you change it on the page, you dont even need to confirm some email….

  • Clay

    Just got a SPAM iChat from “Deuce1978″. I assume this happened because my email is my AIM username. Just a heads up. :-/

  • ChristopherLouis

    I’m still good with you Envato. I’m sure this wont happen again, and you’ll still be producing the great service you’ve always had.

    • Jay

      +1000

  • Timothy Overturf

    Well fuck, I wonder how many times I’ve had to change all my passwords these last months.

    I don’t want to be a douche, but aren’t these things preventable, especially after the whole LULZSEC thing?

  • http://themeforest.net/user/LucidStudios Sher Ali

    Actually Envato has been following wait-and-see strategy from the very beginning e.g. changing assets rules just for activeden.net only when thwFWA.com threatened envato for copyright violations, changing assets rules for all marketplaces when megaupload.com was taken down.

    Also Envato’s security measures are very immature. For example I can go to my themefoerst.net account, change my email id, get an email that my email id for my themeforest.net has changed, then I go and change my email id to another email and and this this get an email on previously set email id which in my view is a very insecure method of allowing to change email id.

    The best practice is that when you change your email id then you should be sent an email with a verification link otherwise sending just a plain email that your email id has been changed is not good enough because someone can log into my account and delete all the files etc.

    Envato needs to grow up and use true best practices. Especially no compromise on security related maters.

    • Jay

      I’d like to see you do better. Please send a link to your extensive marketplace network and I’ll start criticising it.

    • http://themeforest.net/user/LucidStudios Sher Ali

      I am neither a competitor nor work for a competitor instead I am one of the early authors at Envato marketplaces and I have warned Envato regarding security shortcomings many times but they don’t care unless something happens like what has happened to tutsplus.com.

  • http://www.videohive.net/user/miseld?ref=aedaddy Misel D.

    I just change all my passwords for security measures. I don’t want to be surprised.

  • Rob T

    Hey Collis,

    Thanks for the update and your honesty.

    If it was me though I would NOT of admitted that you knew about the passwords being stored in plain text. You’ve opened yourselves up to a huge revenue loss in subscription renewals.

    Anyway, I wish you and Envato all the best in getting back up and running and I will still continue to use your services.

    • http://pippinsplugins.com Pippin

      Might not have been the best move from a revenue’s standpoint, but it does say a lot about Colis as the CEO.

    • Jay

      +1

      Honesty is increasingly rare these days, and I think it’s awesome how Envato have owned up like this.

    • http://www.epochdev.com Jeff Seals

      The honesty was classy, but if they had withheld that information and then it came out, they’d be even more liable for a huge class-action suit.

      Nevertheless, this should have been attended to as soon as they found out about it #negligence #fuckingup

    • John

      Serioulsy – class-action suit? Come on. Where is the forgiveness in this world. This is not a big issue.

    • http://www.epochdev.com Jeff Seals

      Haha, well that’s just typical America for you. Some sleezy lawyer could see an opportunity and jump on it.

  • http://no Ryan

    You deserved to get hacked…storing passwords in plan text, lol

    • John

      You deserve to get a kiss from your mother, and kindly asked to play nice.

  • http://indocti.com Josh

    Hey guys. First off, sorry to hear about the breach. It’s good to see that you’re being completely transparent about it. That speaks volumes to the quality of your organization.

    I’ve been a happy member of your premium service for about 6 months (with another six months to go). I’ve gotta say, I was surprised to learn about the nature of the plugin you’ve been using… No need to reiterate what others have said.

    As an act of good faith, I hope you’re considering some kind of compensation to your paying members. I go to great lengths to ensure the integrity of my online transactions, and while your admission of fallibility is CERTAINLY appreciated, I do feel the time you’ve cost us should be acknowledged.

    Is that a fair request?

    • Jay

      I think everyone accepts some level of risk in doing anything online. I won’t be asking for a refund. No need to kick a man while he’s down.

  • Mitesh

    Anyway thanks for the update:) I still think Tuts+ Premium is by hands down the best investment I have ever made. Hope you guys get back to providing us with really awesome courses and tutorials.

    • Jay

      +1

  • Elaine

    How do I access my account to change the password? I click on the logo and it send me here.

    • Jay

      Elaine, the Tuts+ site is temporarily shut down. Collis just meant that if you use the same password on other sites, that you should probably change it there as a precaution.

      It’s a good idea to change your password regularly anyway.

      When Tuts+ comes back online in a day or two, they will tell you how to change your password then.

  • http://Twitter.com/AmyStephen Amy Stephen

    Seriously? So very uncool.

  • Numan Habib

    This is really disappointing, I am a new web developer & even before I started coding I knew that encrypting passwords is not even a question. It’s not even considered taking another step ahead, it is just a thing everyone is supposed to do. There shouldn’t be any reason to store plain-text passwords unless you are purposely waiting to get hacked or you’re trying to steal accounts on other sites.

    envato has taught me a lot, they would be the last people I would expect to make such a mistake…

    However, I am not that angry, mainly because my password is unique on here so it doesn’t harm me really. But the community aswell should learn to keep unique passwords.
    Hashing\encrypting passwords should be considered just as important as using unique passwords.

    What is funny is that I see people in the comments saying OMG SONY GOT HACKED AND SO MANY OTHERS AND YOU STILL HAVEN’T LEARN’T?!??!?!

    Well, yes it IS their fault — no doubt, but you should have also “learn’t” by now to use unique passwords.

  • jono

    You are frikkin stupid. This really is the worst of th e worst possible dev and business mistakes you could possibly make

  • Murphy

    Truely tragic.

    Where can I sign in and replace my password? You have removed all links! Not good!

    • Elaine

      I have the same problem.

    • Jay

      As I just said to Elaine… the site is down for a couple of days. They’ll tell you how to reset your password when it’s back online.

      In the mean time – if you’re using the same password on other websites – change it there. It’s a good idea to change passwords regularly.

  • Elisabeth

    Thanks for letting us know.

    I’m just glad I obsessively use big parts of my brain to storage different passwords for everything ;)

    Good luck, don’t envy you this job…

    • Preston Davis

      ha ha! Likewise! Can u say “Last Pass”?

  • Gaz

    I am absolutely disgusted.

    • John

      I’m absolutely famished. All this reading is makin me hungreh!

  • http://pendeavor.com Matt

    I cancelled my membership a few months ago, but was thinking about coming back – not any more. Talk about a rookie mistake. I’m beginning to wonder if Envato wanted our info to get compromised, because seriously…. who stores passwords in cleartext?

    Envato – you just lost a HUGE portion of your loyal customer base, and your reputation has taken a very big hit. If you really want to apologize, do it in the form of a refund for all users who paid for the Tuts+ membership. But you’re big business now…. and we’re just people. Money is all that matters… and you got our money. So I’m sure its no big inconvenience to you.

    Sad. Just sad.

  • Adam

    This feels like a joke. Envato had better hope no lawsuit comes out of this – other companies have been fined for the same thing: http://www.zdnet.com/blog/security/ftc-fines-rockyou-250000-for-storing-user-data-in-plain-text/11274

  • lav

    I wonder if there was a tutorial on hw to hack a website at nettuts+…… :P

    • John

      hehe!

  • Adam

    Wwoh , I do not know how hacked account , hacked wordpress or amember ?

  • Gaz

    Couple of points while I’m fuming over this fucking ridiculous issue.

    1. Why where you guys using 3rd party software to manage user data?
    2. Why where you using 3rd party software that you knew stored passwords in CLEARTEXT?
    3. Having known about this issue, why wasn’t it fixed IMMEDIATELY?
    4. How long have you known about this issue? I (WE) deserve an answer to this.
    5. Apart from hackers gaining access to this information are you really that stupid not to realise that this also posed a huge internal security risk? So basically, any developer (possibly even the cleaner) could gain access to the full list of UNENCRYPTED Tuts+ member password data. Did you not think that a disgruntled employee could have used this valuable information.
    6. I’m pretty sure there are legal implications.
    7. I would now have the headache of changing every password for every site I have ever registered on if I had all of my passwords the same.
    8. Please do not patronise me or any other member on here talking about password best practices when you failed to FUCKING secure our personal information.

    I feel physically sick. You are really going to struggle to recover from this.

    By the way if you want to know how to build a successfull business blog, I think there’s a great new book on the subject.

    • http://pippinsplugins.com Pippin

      Dude, first, calm down (FYI, no, I do not work with Envato). Read my post above: http://marketblog.envato.com/general/tuts-premium-security/#comment-26156

    • John

      And now would you like to write a post to the hackers who are the real people at fault here?

      It’s interesting to see how many people on here are SO quick to point the finger and criticise, and are just as quick in forgetting that all anger deserves to be directed towards the hackers.

      I am not angry at Envato. I’m just going to suck it up and change my passwords. No big deal – I’ve lost no money, it hasn’t physically hurt me, it might inconvenience me by 5 or 10 minutes. Big deal! Seriously!

      Wow – I am so annoyed to be inconvenienced by 5 or 10 minutes. If that’s the case then I should be MORE annoyed at traffic lights. They inconvenience me by that much every single day!

      Those bloody traffic lights! How dare they not consider ME and MY needs.

      1. Can you tell me why they don’t anticipate my arrival, and ensure they are green all the time?

      2. Why are they even necessary? I think we are all adult enough to manage our own traffic

      3. They use power, so are a threat to the environment. Seriously – that’s so inconsiderate.

      4. They are ugly. I can’t believe I have to put up with those ugly things looking at me constantly. That is grounds for legal action right there.

      5. I’m sure I have more points so I will sit here and think for a while.

      6. They attract birds to crap on them, which then directly costs me money to pay taxes for workers to come and clean them.

      7. They are always in the way of swerving cars – if they were never there in the first place, so many cars would not have been caused expensive panel damage.

      8. At night they make me stop when there is no traffic! The nerve of those bloody traffic lights.

      9. The amber light is too quick. It needs to last for at least another three seconds to let me speed up and sneak through there – just stupid and irresponsible design.

      Unbelievable. I’m am going to sue the government over this. I am so inconvenienced by traffic lights and somebody must and will pay.

      Oh – and I’m going to sue myself also, as this post has also inconvenienced me by 5-10 minutes.

    • http://pippinsplugins.com Pippin

      LMAO, awesome John.

    • http://www.epochdev.com Jeff Seals

      Pippin and John, you guys are forgetting the most important of issues: they knew passwords were stored in plaintext and NOTHING was done about it. Moving that data over and securing it should’ve been priority#1 over pumping out tutorials, and making money.

      As soon as the issue was known, the site should’ve been taken down until the issue was resolved. It’s that simple, and I’m sure a lawyer will make the same case and win.

    • John

      A case for what? Wasting 5 minutes of my time? Let me know the name of that lawyer so I can also use him to successfully sue myself.

    • John

      Oh and then I can sue myself a second time for being an idiot and not using different passwords for different websites.

    • http://www.epochdev.com Jeff Seals

      Haha, I know. Any developer should know better than to use the same passwords, anywhere. However, let’s not miss the point yet again, there was negligence involved. If you’re accepting payments of any kind (regardless of where you actually do the processing), ALL of the data should be secure – from start to finish.

  • al briggs

    i will be cancelling my membership the moment the service goes back online. this is really unforgivable

  • M Groothuis

    And just like that all credibility has been lost….. RIP

    • John

      But from the ashes of a bushfire come the sprouts of new life!

      Grow you little sproutlings, grow!

  • http://envato.homo.com Zayl

    Fuck you Envato and your security…. ohhhh I said security? No i mean your openpassword platform. What will be next time? Compromised PayPal or something special ?

    • John

      I like Envato. And I’ll like them even more.

  • Kieran

    Thanks for censoring my comment(s) Envato, great to see you doing some ‘damage control’ on this. /sarcasm

    • http://pippinsplugins.com Pippin

      I don’t think anyone is censoring comments, but I would say that WordPress is possibly having a hard time dealing with hundreds of comments coming in constantly.

    • John

      Yeah there’s some pretty uncensored comments on here…

  • http://pippinsplugins.com Pippin

    If you’re about to post screaming your head off, please consider reading what I wrote above: http://marketblog.envato.com/general/tuts-premium-security/#comment-26156

    YES this is a horrible situation, but NO does it justify coming and spewing abuse at Envato. Don’t forget about all of the other incredible things they have brought the web development world, and others, such as Graphics, Video, Audio, etc.

  • Josh

    I can’t believe you didn’t encrypt passwords. That’s incredible and extremely irresponsible.

  • goddammit

    damn now i cant get that 50$ offer, although im sure this is what its all about right. hackers saw the promotion and decided to get into peoples accounts

  • Concerned and Disappointed

    I was strongly considering submitting some tutorials based on your list of items you wanted tutorials submitted for. However, this situation leaves a nasty taste in my mouth. Not because you were compromised. Instead, because you used something that you *knew* had a huge vulnerability and somehow didn’t think to work on migrating away from it ASAP.

    How long have you known that this “amember” plugin was storing passwords in plaintext? How did you not know upon first install? While testing it? While yes, the plugin is crap for doing that, you’re responsible as a platform owner for knowing what the software you integrate with does.

    In addition, this happens on the part of your site people PAY to learn from your posted content. You’ve even published articles on this, so how could you let this happen? This is a huge blow to your credibility and your site’s stature.

  • Erik

    The word pathetic comes to mind. I’m regretting ever paying for premium; I don’t remember which password I used so I’ll have to change them all. If there was any justice in the world, this would ruin Envatos business… oh, well, lesson learned: no more payola going their way

  • Chris

    While this is definitely a bad thing to let happen (and terribly ironic) — I will say that if you are overtly angry then it means you are the kind of person that uses the (usually bad/insecure) password on every site you use.

    No financial data was compromised. If you had a unique 10+ alphanumeric password for this site that you use no where else as you should then nothing bad has happened.

    I know we’d like to think everything out there is perfect and trustworthy, but take some responsibility and use your head.

    • Jay

      Here here! The voice of reason is so amazingly refreshing.

  • errol

    Nice fucking work, should have never singed up for premium, i can’t believe the passwords weren’t encrypted! We should most definitely be compensated, sorry doesn’t cut it!!

    • John

      How about sorry with cherries on top? That’s enough for me :)

      Use unique passwords. Use lastpass. Get over it.

  • http://SethCoelen.com Seth

    I think we should all get a year free of premium membership. Or at LEAST a large chunk of money back for those who paid for a whole year. I will be canceling my membership if I am not compensated for this awful mistake.

    Give your customers something that says “We want to make this right.”

    • John

      Oh – I want a Ferrari too. This is inexcusable and I think I am owed a Ferrari.

      See my reply to Gaz’ post…

  • Brian

    Great, was disappointed with the tuts premium membership previously. Now have to change passwords everywhere. Who in the right mind stores passwords in plaintext? Absolutely ridiculous.
    Brian

  • Alfa9Dev

    You guys should read this document “CAREFULLY” !
    http://www.sk89q.com/content/2010/04/phpsec_cheatsheet.pdf

    • John

      That’s a great resource! Thanks Alfie.

  • Tom Pearce

    “Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted). The storage of cleartext passwords is a bad practice for a variety of reasons, but principally because any sort of compromise grants the attacker full password details.”

    Hard to accept apologies under such circumstances….TP

  • http://asd.com Not happy jan

    Password hashing is like the first bloody thing you learn in web programming! Authentication 101!

    This is completely UNACCEPTABLE from a web site that is supposed to be teaching people how to make websites!

    I do feel for the authors who’s reputations that have been tainted through association.

  • Blake

    I stated earlier as to why Envato didn’t upgrade to aMember v4, that was my two pence worth.

    However, this is getting silly, and people are posting stupid remarks, yes there was a security breach, but atleast the staff here at Envato made it a public announcement, most sites wouldn’t even do that.

    I am sure Collis had a feeling this could damage the reputation of Envato, however, it has also built a trust inbetween, because an attack like this is normally kept hidden behind closed doors, and someone would stick up a ‘We’re having some maintenance’ done on the front end to trick the user into thinking they’re doing something when in reality, they’re fixing a security breach.

    You all need to step off your high-horses now and let bygones be bygones, They’re working hard to get the problem fixed, and I am sure they will not allow for the same mistake in the future.

    Move on guys and girls, it’s not the end of the world.

    Thanks for keeping us informed Envato staff, much appreciated.

    • Brian

      it would have come out sooner or later. When the hackers say how much data they have. Always comes out and is un-excusable. Back to changing 300+ passwords
      Brian

    • http://pippinsplugins.com Pippin

      Thank you! I’ve been hoping someone would finally say this.

      Seriously, get off your high and mighty thrones of “I’m perfect”.

      It’s guaranteed that Envato will take a HUGE revenue loss from this, but guess what? They admitted it immediately and were transparent.

      Yes the issue should have absolutely been resolved a long time ago (before it was an issue), but props to you, Collis, for coming out immediately and telling us what happened. I would love to shake your hand and say “thanks”. But instead of shaking my hand, go buy your devs a LOT of coffee as they have some very long hours ahead . . .

    • John

      Brian it sounds like you are changing one password 300 times.

      This is actually helping you, as one password is an extremely bad practice.

      +1 for Blake’s comment.

  • Brian

    Looks like I’ve got to change 300+ passwords. There goes my night.. Plain text, unbelievable..
    Brian

    • John

      Unbelievable that you used one password for EVERYTHING.

      That’s amazingly unbelievable.

      Lastpass.com my friend. Criticise yourself before looking elsewhere.

  • Joel Falconer

    Arguments about prevention and aMember’s encryption aside (and aMember should get as much criticism as anyone since they run thousands of membership sites), Envato handled this breach far better than any of the much larger corporations who’ve had breaches in the past year — with immediate information, an apology and the site brought down while the issue is fixed.

    Those other companies, all of which employ PR teams or PR firms (last I knew Envato does not), let the media control the issue and sat around talking about the problem while the hackers could take their time using the information they’d gained. Some were reluctant to apologize even after they finally admitted there was an issue.

  • rikkert

    Beside the complaining about that the password is saved in plaintext, most of the users made a mistake as well. They always advice not to use the same password, over and over again.

    I am such a fool… still it’s disappointing :(

  • Gaz

    @Blake

    It’s not the fact that Envato got hacked that people have a problem with. It’s the fact that they were storing sensitive information, namely passwords UNENCRYPTED using CLEARTEXT.

    Every website has the potential to be hacked, and some big players with good security have been but having been hacked, simply laying out all of the sensitive information in a clear readable format for all to see is unforgivable, especially for a company of such repute, and one teaching and operating within the web industry.

    It’s not as though they were not aware that the passwords were stored using cleartext. They absolutely knew, and from what I can gather for a very long period of time.

    They are quick enough to take peoples money but not so quick to fix a blatent security problem. That says to me that they really couldn’t give a f**k about their ONCE loyal customer base.

    Can you not see why people are angry. It’s such an amateur and very serious fuck up.

  • Gaz

    Jesus, an apology really doesn’t cut it I’m afraid.

    Imagine I worked at a fairground fixing rides, and I knew about a fault that could potentially derail one of the biggest roller coasters in the ground but I didn’t make any attempt what so ever to fix it and then a ton of people died on that ride. Do you think just because I apologised and was transparent about the error that it would be sufficient?

    Granted, that is a very overexaggerated analogy but the principle is the same.

    • Bill

      Yes, actually, that IS a very overexaggerated analogy…

    • Gaz

      I know but I just needed to reiterate that this is not OK for the people saying ‘Oh well, these things happen, get over it’.

      Something like this really makes you think that Envato doesn’t care about it’s customers.

      When LinkedIn got hacked, I thought ‘Bloody hell, that’s quite a serious situation’ but I went ahead and changed my password and didn’t have any bad feeling towards LinkedIn, as things like that do happen but to have unencrypted passwords in 2012 is just plain wrong.

    • http://pippinsplugins.com Pippin

      It’s not about saying “this stuff happens, get over it”, it’s about acknowledging that bitching about til the sun comes up doesn’t make a lick of difference. How about instead we acknowledge the fact that Envato has owned up to the horrible mistake and are working to fix it asap. I can assure you that there isn’t a single Envato dev team member sleeping tonight.

      The fact that Collis came out and told everyone about the mistake immediately after the hack says a ton.

  • http://www.haynesdesigns.com Rey

    Highly irresponsible but I’ll give you guys the benefit of the doubt…as a site grows so fast, its harder to replace a working backend sometimes.

    There should be some sort of credit compensation for members based on monthly and yearly membership.

  • JM

    Unencrypted passwords in 2012?! That’s like leaving your wallet on a bus seat or leaving your keys in the ignition. YOU IDIOTS!

  • Pan

    Wow, I saw some tuts last week that made me want to subscribe. I swear to you that I came here just now to subscribe. I appreciate the honesty but like the rest of the commenters I’m pretty disgusted by this. I expect clear text passwords on a free first-time developer’s android/iphone app but from tutsplus, damn. I’m gone.

  • http://www.tjbarber.me/ T.J. Barber
  • Eben

    This is really, really unacceptable. I’m very seriously considering terminating my subscription out of disgust.

  • what a smell

    Some people here foam at their mouth so maliciously that one might smell a rat. An envious rat. A cut-throat competition desiring to destroy a successful and popular rival.

  • Andrew Mooney

    I appreciate the honesty and it is commendable especially in this day and age. Most CEOs try to lie their way out of situations like this.

    However, there is no excuse for a known issue with security to go un-fixed for any period of time. I think that it would have been better to have taken the premium site offline and replaced the plugin as soon as it came to light that it was storing passwords in clear text, no matter how long it took. I know that this would have caused an uproar from paying members and maybe a loss in revenue at the time, but I think it would have been much less of an uproar than you have now.

    Unfortunately, this incident has undermined the trust people have in Envato as a company and it’s sites. It also damages the good reputation of the instructors, which is unfair as the ones I have been learning from are very good.

    For those of us who plan on staying with the premium service I think we need some kind of assurance that this issue isn’t going to happen again. Maybe a transparent plan of action letting us all know what has been done to resolve the issue, and how Envato plan to move forward.

  • http://www.leihai.com/ Stephen Curtis

    Ok, I was mad but I’m over it. Now I need to get back to the course I was reading through last night. When will it be back up?

    • http://tutsplus.com Jeffrey Way

      Which course?

  • Marcin

    As a fellow Australian, I have to say that this is pretty piss poor mate!

    I’m also guessing that since they have all the account details, I should be expecting more spam in my inbox.

  • http://philmorrow.co.uk Phil Morrow

    Envato have struggled under their own success. We’ve seen it across their whole network. They’ve grown faster than they could handle, and have obviously made some bad decisions in that growth (features over infrastructure). Something like this was going to happen eventually.

    To those claiming you’ve lost hours and hours, that’s your own fault for using the same password for everything (mine too). If we took our own security as seriously as we’re expecting Envato to, then it would have been a minor annoyance and nothing more.

    It has always been very clear that Envato / Collis care about the community. A lot. They’ll make this right, so just chill out.

    • Gaz

      I’m sorry Phil I won’t chill out mate. I’m pissed off, really pissed off and I don’t use the same password for every account I have.

      These people who supposidly care about the community, quite frankly don’t. I could understand if it was a flaw in the system that they didn’t know about but the fact of the matter is they knew about it and did nothing. That certainly doesn’t say they care about me or you.

    • Brian

      regardless of whether people use the same passwords or not. The issue at hand is plain text passwords. No encryption Is completely unacceptable.
      Brian

    • http://pippinsplugins.com Pippin

      Yes, plain text IS 100% unacceptable. No one is arguing with you.

      I’m sure everyone agrees that security should be number one (unfortunately it wasn’t in this case), but that does NOT mean the company doesn’t care about it’s users. Come on, seriously?

      Are you aware of how many sites Envato runs? And do you realize that this is the ONLY site affected? In the scope of users that are involved with Envato sites, Tuts+ is a very, very small fish in a very large lake.

    • dev

      You really don’t get it, do you Pippin? You’re so ready to give Collis and his team a bro-hug for being forthcoming about the hack that you completely miss the point on why people are mad. THEY KNEW ABOUT THE FLAW.
      THEY.
      KNEW.
      ABOUT.
      IT.

      And yet you casually dismiss this important fact on the basis that what, tuts+ is small fish? People are pissed because it indicates poor business philosophy. That philosophy being that “your security is not our utmost concern”. If it was, then they would’ve taken action the SECOND they found out about this issue. When you discover a flaw this serious, you don’t continue to allow your customers to be exposed. Not for a month, or a week, or even for a day. Any security consultant will tell you a flaw as serious as PLAIN TEXT passwords should either be fixed immediately or shut down the servers until it gets done. You may lose money short-term, but you salvage the trust of your customers. Envato evidently thought that leaving their users exposed while trying to upgrade to a new registration system was acceptable. THAT is why people are pissed.

      Now if they hadn’t known about the issue internally, then yea I’d be right there with ya, saying people are blowing everything out of proportion. But they did know. And with this knowledge, they still chose to let people be exposed.

      The devs should’ve been drinking that coffee you suggested much earlier, like ohhh…I don’t know…WHEN THEY DISCOVERED THE FUCKING HOLE.

      And fyi, being honest and forthcoming about something like this should be expected. Just because other tech companies have been lax in reporting similar breaches doesn’t mean Envato gets a courtesy gold star for timeliness. That kind of thing should be standard protocol.

  • Derek Boman

    I just happened to change my password about a week ago. Were both passwords compromised, just the new one, or the old one?

  • Steve

    So many of you complaining about Envato’s lack of security but if any of you use the same username/password combo for your email/paypal/all kinds of websites then you really aught to be looking at yourselves too. Yes storing passwords in plain text is stupid but so is using the same pass on every site. There are simple things we as users can do to protect ourselves

  • Storm

    Hmmm.

    Yes, bad stuff-up.

    Good, you were open and honest.

    Shit happens though, and you are fixing it as we speak.

    I think you should sort out some sort of promo/gift for your existing members who this has affected. A month free sub should do it (and hopefully by the end of it they will have calmed down and will stick around).

    • Gaz

      I don’t understand how they are fixing it?

    • http://pendeavor.com Matt

      A free month isn’t enough. A free year isn’t enough. Once the trust is gone, its time to move on.

      Maybe its time to give smaller guys like http://teamtreehouse.com/ a try…

    • http://pippinsplugins.com Pippin

      They’re fixing it by replacing amember completely, I believe.

    • Gaz

      Oh, you mean what should have been done a long time ago when they first noticed the issue. That’s not a fix when the horse has already bolted.

  • junior dev

    Daim … i got my membership to learn new things … and my boss is paying for it … It sucks … need to get my membership off and back after when its sorted out …

  • Gaz

    I know who I feel sorry for. All the great instructors like Jeffrey Way who may suffer through association.

    I for one didn’t know until reading the comments here that the development team behind the Tuts+ website were not comprised of people like Jeffrey. I thought they all contributed in some way other than instruction.

    I’ve gained a lot from the content on this website, specifically from Jeffreys’ teachings. I hope this doesn’t affect the instructors too much.

    I also hope that noone suffers financially from this, I really do. If that happens in any great number Envato will have more than disgruntled customers on their hands.

  • Gaz

    By the way @Envato I am a premium subscriber, based in the UK but I did not receive any email notification about this issue like what was stated above. I simply found out when arriving at the site to go through some more material?

    Has anyone else had the same issue?

    • http://pippinsplugins.com Pippin

      I got one this morning. Maybe check your spam folder? Could be there.

  • http://www.creativecollab.co Amber

    on one hand… I get that hacking happens… on the other hand…

    as I sat here racking my brain about what my tuts login info was (couldn’t remember off the top of my head out of the handful I usually use) and then spending a few hours more meticulously going through each site I could remember/find and changing ALL the passwords just in case (Envato shut everything down before I could confirm what my login was)….

    my zen state has slowly vanished and the whole scenario blows my mind to a whole new level of nerd rage that they were KNOWINGLY using a plugin (aMember) that they knew had such a gaping black hole of a security flaw.

    according to the aMember release notes, passwords being stored in a text file was only just fixed in aMember v4:

    http://www.amember.com/p/2011/11/amember-pro-version-4-stable/

    I would suggest to anyone using that plugin after this fiasco to update to v4 a.s.a.p if they haven’t already… *GLARE @ Envato*

  • conscofd

    It’s time now to make all tuts free… because i won’t pay anymore on tuts+, NEVER.

  • Brian

    When can I sign up? I must sign up by Friday (end of financial year, corporate thing)!

  • kieron

    I’ve forgotten about this now I’m sure after this embarrassment

    the site will be fine from now on.

    Can’t wait to get back on and hope this doesn’t affect the

    future of the site.

  • Anil

    The absolute safest way to have handled this situation would have been to shutdown the site for a short period of time to avoid exactly this from happening. That way you could have fixed the problem when you first learned of the issue. I understand that this isn’t the best approach from a business standpoint, but you’re dealing with the security of your clients information which [should] have trumped anything else.

    Even if you took down the site for a month to solve the problem and not charged anyone for that month and explained why you took down the site would have been better than what transpired today and a majority of people would have understood.

    No matter which way I’ve been trying to put a positive spin on this, I just can’t. Your company kept taking money from customers while engaging in an unsafe business practice.

  • Preston Davis

    My Final Thoughts…

    Yeah. I was pissed. But true, shit happens. Am I leaving? Nope. I might be a dumb-ass, but my ass AINT dumb. These guys are puttin it out! Besides, I had a unique password for Envato (like I have for every other site). Took me about 20 seconds to “get right”.

    Should they have fixed it? Yes. If the letter above (about the issue being reported AND responded to a year ago) is true, then Envato should walk this gauntlet… and maybe consider some “personnel changes” :)

    BUT….

    Everyone on here bitchin about having to change passwords on multiple sites “SHUT THE ……UP! Y-O-U know better too. YOUR behavior is as inexcusable as this clear-text thing.

    If your in this boat, WISE UP. Try LastPass ( lastpass.com ) or some other solution. But never use the SAME password on multiple sites.

    And if you don’t know… now you know.

  • Cliff

    I’m with you Preston.

    What they did was stupid, no question.

    But then, what is the point of cutting off your nose to spite your face? I enjoy the tutorials and the knowledge I have gained from net tuts.

  • http://www.AlfredoGarcia.me/ Alfredo

    Hi,

    I am going to be blunt. I am highly disappointed in Envato. Highly. I always came here to look for new and exciting ways to learn about the web, which you guys strongly taught us on. However, isn’t it ironic that a marketplace of this reputation is so blind as to even think of accepting money from customers and know that there could be a chance of an attack?

    Are you serious?

    I say we get compensation from you guys. Starting with a free month premium service, cause so far, I am not renewing my account and I am claiming my money back.

    Very unprofessional on your part guys. Very.

    Thanks,
    Alfredo.

    • John

      I am also going to be blunt. I have been a paid subscriber, and I won’t be asking for a refund.

      This has barely inconvenienced me. If you have different passwords for all your online accounts, which you ABSOLUTELY should have – this should not inconvenience you either.

      If you don’t do this, then – shame on you. Now is a good time to start. Take a look at lastpass if you’re not already using it.

      I like your avatar by the way ;) Nice one.

    • dev

      John,

      It’s not really about the inconvenience factor. I use 1password myself, so the breach actually doesn’t affect me at all. It’s about Envato’s actions. They were aware of the issue internally and still allowed their users to be exposed. That kind of decision-making is simply inexcusable.

      You’re right about every one needing to have different passwords for various services, but that’s a strawman for the issue at hand.

    • John

      dev being aware of the issue was true, and they had plans and were taking action to fix it.

      I’d be more angry at hackers than anyone else at this point.

  • Jay

    Here here and +1000!

    Finally – a voice of reason. Be angry at hackers – they are the real problem here!

    DERRRR

  • Illz

    I tried it once a year ago, but know now what password I used. I can I figure out what it was? I don’t remember if it was unique or not.

  • http://www.ravenousravendesign.com Heather

    It must be my stalker who hacked the site. I bet he’s trying to find my password to leave me love notes all over the internet. For goodness sakes. I will never be freeeeeeee!! :)

    Don’t worry, be happy people. As long as there are good guys on the net, there will be 5 bad guys behind him trying to mess up the kingdom he has made. It’s just the way the world is.

    • Jay

      ahaha great post :)

      I’m with you heather!

    • Remy

      Super LIKE. lol

    • Mike Thomas

      Envato made it pretty easy for the bad guy in this case!

  • Bandict

    Epic FAIL!

    • John

      So 2008

  • Robert

    Be warned all. My credit card that I used for this account was compromised today. Coincidence I doubt it..

    • http://pippinsplugins.com Pippin

      If you used the same password here as you did on a site that stored your cards, then no, probably not coincidence, but that just goes to so that you shouldn’t use the same password everywhere. The same thing would have happened regardless of how the password was obtained.

    • John

      +1 – this will be a great lesson for not only Envato to learn, but people with their own password management.

  • Brandi

    I am trying to find the address for where to send my invoice and can’t seem to locate it. I charge $125/hr for customers I like. It will take me at least two hours to find out which passwords used the same one here, but considering you knowingly gave up my password I will have to tack on an additional fee of $100. Total due – $350, payable via PayPal.

  • http://about.me/weslly weslly

    I’m glad i’ve used a random password generated by 1password.

    • John

      Same! but from lastpass.com

  • Remy

    No matter how invincible you are, remember this.

    “Shits Happen”

    I hope this will be fixed soon. I have learned many things from envato for years and im thankful for that. Keep the good work.

    • John

      I’m with you Remy! I have found Envato to be a really great organisation. They’ve slipped up, they’ve been sincere about their apology.

      In my books – that’s just given them more credibility than before.

  • Oleg

    Maybe this is all a tutorial in web security and TutsPlus made it all up so that we as web-professionals will never store sensitive user data without encryption? And they are also getting us to change our passwords in the process, which is a good practice….

    P.S In truth I do know that it’s NOT a tute/prank and I’m frantically changing my passwords, but one can hope.

    • John

      More than that Oleg – it’s a tutorial in users not to use the same password everywhere!

      Just shows how silly people are… using the same password on the majority of their web accounts.

      Lastpass.com will save all your passwords – its awesome.

  • http://www.satellitespy.net saucecoda

    In a perverse sort of way I’m glad this has happened. Even last night I intended to change the (same) password used for a lot of non-critical accounts, so as to have a unique pwd for each account. I’d even drafted some out and then thought “I’ll do it in the morning”.
    We’ll I’ve done it now!

    The more this type of attack is publicised the better. People need a wake-up call : expect the best, but plan for the worst.

    • John

      Here here!

  • Justin

    I am surprised by the indignant attitudes. We’ve all made mistakes. Envato will suffer the consequences of their embarrassing lack of judgement. However, I am certain that they will learn from this painful experience. I applaud their honesty and transparency as they work toward resolving the issue, and I look forward to continued online learning.

    If you use the same password for multiple sites, then you are at least partially responsible for the inconvenience.

    • Jay

      Well said! I agree entirely.

  • http://www.flashato.net Arthur

    Cleartext password, no excuse.

    Leave the membership for this,is not a good excuse.

    This is the good excuse to bring all the Envato networks to the next level of security.

    I will renew my premium subscription.

    • Fabian

      (y) + 1000 ! Great

    • Jay

      Agreed.

  • Shaun

    Although security breaches can never be completely prevented; using cleartext passwords to store user information online is huge no-no, particularly for a professional online business.

    Storing user passwords in cleartext format outside of a development environment is unacceptable and possibly negligent.

    The folks at Envato should know better and I hope their internal culture does change so I can have restored faith in renewing my premium membership.

  • http://www.maren.com.ar Martin

    I wouldnt mind the site down for a week cause I love you guys but you host hundreds of tutorials on your site about web development and stored passwords in plaintext ?

    Thats not investing the money you make and it makes you look greedy. I dont like greedy people.

    • Jay

      I’ve been using Envatos services for years and years – back in the early days of ActiveDen.

      All I can say is they have a LOT of respect in my book. They have always given more than they get in terms of revenue and value, in my opinion. Everybody has to make money to live, and I think they have been a very open and honest company, especially considering the success that they’ve had.

  • http://www.webdesignlift.com Windo

    Wow, so many comments up there. I didn’t read all comments, stop at Jeffrey’s Reply and commenting now

    I think this incident makes me learn something about running a web business, how do you deal with tricky situations like this, like honestly saying the mistake, even though the mistake is so contrary to the value / values ​​that brought the company.

    You should write an article about this. how do you deal with it and what you thought when you decided to tell the user truthfully

    back to work :)

    • Jay

      Yeah I’d like to hear this too.

      I can say that it takes balls to be honest, especially for such a potentially embarrassing situation.

      I commend them for their honesty, and speed of being open about it.

  • Nate W

    It’s been said just a few times already, but free text passwords?! WTF?!

    The least they can do is offer the past and present PAYING customers some type of offer to smooth things over, It’s the least they can do. I remember Sony giving us all a few free games and then some after their security breach.

  • Kevin

    I’m not here to defend and I totally realize this is such a worst case scenario. Collis and the team must be feeling so sick about it (which again isn’t suppose to make anyone feel better).

    I only know how much Envato and its community and course instructors (Especially Jeffrey Way) have done for my development and value as a designer/developer. I really feel like there is no other community driven resource platform like these guys have managed to build.

    We can only hope that most will at least allow them the opportunity to win our trust over and to continue to bring their amazing drive, attitude and love for the creative industry going.

    I’ve updated my passwords across the board and I know on principal I shouldn’t have to … But if there is any company or any one that I’d be willing to not hold a grudge on… its Envato and the Tuts community.

    cheers

    • Jay

      +100

  • JoHNNY_D

    Kinda of tired of reading all the negative comments so I will just say; its unfortunate what happened but whats done is done and I’m sure the lesson is learned.

    I enjoy tuts+ too much to be that upset. If you can find a better site to learn web development I’d call you crazy, and you better believe you would be.

    • http://pippinsplugins.com Pippin

      +10.

  • Chris

    Really unencrypted passwords, why use that plugin in the first place, why did you not edit the plugin to use encryption?

    you should of made it clear on signup that the password was going to be stored in plan text.

    This is one of the lowest unprofessional things you can do.

    I can see tutsplus losing alot of subscribers for this.

    • Jay

      Not mine. They have my complete support.

  • Gunn4r

    I hope they can recover quickly from this. Someone over at Envato probably crapped his/her pants when this happened… then got fired.

    I hope we will get some kind of compensation out of this since I just had to spend the last 2 or so hours changing passwords.

  • Devin Dombrowski

    Envato,

    You have seriously taken a shit on your reputation!

    A site that advocates best web practices and “ironically” just released a post about password security

    http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

    If you are saving unencrypted user passwords you have the responsibility to TELL YOUR USERS!

  • F.CHAPLIN

    Shame on you.
    Passwords in plain text ? For paying accounts ?
    Dudes, you should make read your owns tuts+ about security…

    Personnal datas are treasures ! We thrust websites as we thrust banks when we give them our names, adresses and passwords !

    Can you understand this, TUT+ team ?

    I encourage anyone to close any paying account on this site.

    Not because we are now scared by the lack of seriousness, just cause Tut+, for letting this happen, just deserve to die.
    For the example.

    • Jay

      I won’t be cancelling. Envato are an excellent company in my opinion. They have made a serious mistake, and they have been open, honest, and fast to publicly respond to what has happened.

      What they have given me over the years has been absolutlely invaluable in terms of my professional career, and quite frankly – I find your commend rude – to encourage people to unsubscribe.

      They have given me MUCH more in terms of value, than what I have paid for in return.

      This mistake has cost me 2 minutes to change my password. Actually – it hasn’t cost me ANY time as my password was unique to this site, so at this time this has not affected me WHATSOEVER.

      If you also were serious about your password management, then this should not affect you in the slightest, either.

      So – perhaps you could write a new post about how negligent you have been with your password management?

      Because people would listen to that one, and it would actually be helpful.

  • King JJ

    I love tuts plus site has a lot of good stuff on it, just hope they look out for the people paying for the service and give us like a “hey we jacked up and gave away your passwords here is half off tuts plus for life” fair exchange for using clear txt passwords. I know half the people here would be happy with that.

  • AA

    Thanks for being honest.

  • http://community-auth.com brian

    I would say you owe everyone in your database a free lifetime membership.

    • Hiep

      I totally agree!

      A free lifetime membership would make me less angry.

      Best.

    • Jay

      How about a free lifetime membership, and all the revenue they have ever made, divided equally to all the users in the database, because being asked to change one password is SO amazingly inconvenient that I am afraid to greet the day.

      If, however, I was serious about my own personal password management, and was not incredibly stupid and igorant enough to use the one password for many online accounts, then this issue has not affected me WHATSOEVER, and my life continues.

  • https://themeshive.com/ Themeshive

    Really unencrypted passwords, why use that plugin in the first place, why did you not edit the plugin to use encryption?

    https://themeshive.com/theme/membership/

    • DB Hacker

      Membership software – aMember Pro have really bad developer team…………

  • http://pippinsplugins.com Pippin

    I think we’ve heard enough of the negative comments. Sheesh, the points have been made.

    • Wil

      +1 on that, but, sadly, everyone seems to feel the need to over comment negatively. We all get it – Envato screwed up, so is there really any need to keep hammering a nail that is already in place?

      Waiting for the negative comments now…

    • Jay

      I like your avatar, Wil. You look friendly.

      Just thought we needed a little more positivity :)

  • http://www.silvercrux.com Janki

    That’s too bad. I wonder what the attackers gain out of this.

    Anyways I think you guys should make the name of the plugin public so that it rings an alarm for people who use it.

    This solidifies my belief that wordpress plugins are inherently unsafe and we should do a thorough check before using them.

  • Paul

    First you send me an email saying that I need to log in to my account and change my password, but then when I go to tutsplus.com, I can’t log in to change my password. Man you guys, I’m doin my best not to insult you but this is really stupid. You shouldn’t make it harder for me to log in. You bring me here instead of sending me to a page where I can log in and change my password.

    Shame on you guys for using passwords in the clear. I hope you learned your lesson. I don’t think one head should roll for this. There had to be a dozen people involved in the security management. On the other hand, I hate to see someone lose their job, so I might give them a second chance, but few others would.

    I love tuts-plus, so I will continue to be a member, but I agree that they should give everyone who had to change their password a month free. They didn’t just put my envato account in danger, but they put my paypal account and my bank account in danger. I may not have checked my email for two weeks. I could be facing a thousand dollar bill! Envato should at least pay something for not having enough sense to use encrypted passwords and putting my accounts in danger. I would be appeased with one month of free access, but if they don’t give me that I will still pay for their product, because it is incomparable. Also I believe in giving second chances, but that would never happen in the corporate world.

  • John

    Plaintext passwords? You guys are fucking idiots.

    • Paul

      @John, I didn’t want to be so harsh myself, and I really don’t want to say what you’re saying, but to be honest, I can’t argue with you.

    • Josh

      I am in agreement. Completely shocked by this.

    • Tina

      Agreed.

    • Jay

      Disagree massively. Envato has so much respect in my books. Yes, they have screwed up here. But – they have been open and honest about it, now offering compensation, and have been very quick to alert everyone about the issue.

      That is VERY rare in business today. Usually a company will hide things like this, only being forced to come out with it when the hackers go public.

  • VF

    Not sure if this issue is the reason but from yesterday, I started receiving spams to my main email id that requests contact info, email, phone etc as html form.

  • Kima

    Well, they tried to enter my facebook account, tnx God, fb have good security. They are, (or proxy is) from Japan

  • Jx

    So many negative comments! What’s wrong with you people. You should have know how to protect yourself in the first place by having different levels of passwords. You are obviously not going to use the same pass for your bank account and this website, right? Not, if you are smart. So please shut up and let an awesome crew at Tuts+ patch the website up.

    Tuts+ pps, you are doing an awesome job, don’t listen to those bitches.. shit happens…lets get the website back online!

    • http://www.windkr89.nl Erik

      That’s not what this is about. Storing passwords in plain text is a very bad practice! We all expected that especially Envato would not make such a fault.

      I am getting irritated of paying for things and that when something goes wrong people are saying it’s your own fault. I don’t want to spend my time on this annoying things….

    • Jx

      @Erik I totally agree with you. This is simply unacceptable and I was totally shocked when I read what happened. I am just trying to give these guys a bit of support. They have probably spent last 24+ hrs fixing this up. I am really glad they admitted the cleartext thing, no matter how crazy it sounds. Cheers mate!

    • http://www.windkr89.nl Erik

      @JX I agree with you, about them being honest about what happened. I am very satisfied with the content and support Envato delivers, but also very suprised about the ‘beginner’ mistake they made. Cheers!

    • Israel

      This is not just a matter of patching the site and is over! is not like they just gain access to your email address. This is a serious security breach and what is unacceptable is that they knew about the flaw and didn’t do anything right away.

    • Dams

      You’re so funny. Defending them despite this beginner faults dating from 90’s as they did just show how unprofessionnal your work must be.

    • Jx

      @Israel
      Yeah, they have your email address and they have your password for tuts+ network. They don’t have your billing details. Your tuts+ pass has been reset to a random string. Please don’t tell me you have had the same password for your email account or bank account. I don’t think so.. So what’s the fuss all about? You think hackers are gonna go and try to login to your whatever account with your cleartext password. Common…

      @Dams

      Dude, what is your problem? Who do you think you are to assume such a thing about my work? I am not defending them, read my comment again.

  • zima

    What kind of a strategy could lead to a cleartext password storage!! You have about two million customers! That is an extremely irresponsible act. I am out of words really.

  • http://christophedebruel.be Christophe Debruel

    NOOOOO. After the upgrade to the new version of the tutsplus site I could not subscribe anymore because i didn’t have a credit card. Now i do and I just registered last friday. :(

    This is very strange, I would never have expected this from you guys. But I’ll remain a subscriber because you have very good content. And I’m certain you won’t make the same mistakes twice.

    • Israel

      you think?

  • http://www.pinaysexygoddess.com Pinay Sexy Goddess

    Interesting. was it Anonymous?

  • Stuart

    I am usually a very forgiving person, but I have to agree with the backlash here. The thing that bothers me the most and is truly ridiculous, is the 48 hour promise. That plainly states that not only were they capable of fixing this problem (for the 13 months that it was apparently known mind you), but that they were, and are capable of fixing it in two days. That speaks louder to me than any other issue. It shows, 100%, that the company cared more about growth and profits than the security of thousands upon thousands of paid members. I work for a university in IT security and it simply blows my mind to think of this happening to user data at a company of this level. If this happened in any way where I work we would have so many lawsuits from students and fines from the state that the college would probably not recover. Also, to those on the bandwagon of “Well you should use a different password for every site. It’s as much your fault as Envato’s.” I’m sorry but no. That has zero to do with the issue here. Yes we can all be better, but like I said, if we told that to students at the university, it wouldn’t mean anything. And it shouldn’t. It’s a paid service. You pay for security and good content. Not everyone is a security master with password software and different variations for all the services they use. In a perfect world, that would be the case, but it’s not. It was Envato’s obligation to take care of the one password they had from each and every one of us, and they failed. Simple as that. In closing, I’m most likely done with my membership, but I would like to give a huge props to Jeffrey Way. I know if he would have made their user system it would have been rock solid (frankly I don’t know why they didn’t have him do it). His content has always been top notch and I have learned more about development from him than probably and other person. Seriously Jeff, start your own site. I don’t care if it’s $50 a month. I would be the first member.

    • http://www.krsiak.cz/ Krsiak Daniel

      agreed

      @Jeffrey Way
      * launch your own tutorial website
      * I would pay 5 years ahead ;)

      somehing like
      = thenewboston org
      = css-tricks com

      both are super successful because they are personal

    • http://tutsplus.com Jeffrey Way

      Hey Stuart –

      Thank you for the nice words. The Envato devs are incredibly support – likely much smarter than me! :)

      I understand your decision to close your account, but hope you’ll think about giving us another chance. The one upside to this is that Envato will knuckle down on its security practices ten-fold.

      I’ll be sticking with Envato for the long-haul, so no breakaway. :)

    • http://tutsplus.com Jeffrey Way

      “Incredibly *smart*” :)

    • no more trust left

      @Jeffery Way
      You are the only reason I was a subscriber to Tuts+. Please, PLEASE, consider breaking away and doing something on your own since I will not be a part of the Envato community from this point forward. PLEASE Jeffery!

  • http://www.webmaster-source.com redwall_hp

    Today I learned that aMember stores passwords in plaintext. ಠ_ಠ

    I sure hope WooThemes stopped using that, because I’m pretty sure they used it in the past.

    • http://www.iuditg.com Udit Goenka

      I was about to make a purchase of aMember 2 days but now it gives me a very good reason why I shouldn’t purchase it anymore for my new project.

      Waiting for tuts+ site to get back so that all of us can resume learning once again. Shit happens and only thing we can do is learn from our mistakes.

  • http://www.opensourcevarsity.com Ivan Bayross

    Wow Collis,

    As a fellow website owner I empathize. This must hurt like hell.

    I appreciate you informing me of the security breach immediately and telling me what to do next. I believe that it takes a heck of a lot of guts to do this.

    For what’s it’s worth, my Tut’s Premium account was auto renewed on the 26th of June 2012. I do hope that money went into the Tut’s Premium account and nowhere else.

    Do get the Evanto website up as quickly as possible.
    I for one will keep my account alive.

    Hang in there. Get the password storage issue of the website fixed as quickly as possible. Harden the website as well.

    Get your Link to change my Password out as quickly at possible. I want to do this.

  • Israel

    wow! this is very disappointing! especially when they knew about the issue and didn’t do anything, why is it that must companies don’t have the mentality of prevention?, they always prefer to fix the issue after something happens! isn’t easier to prevent? just when I was recommending the site to a friend, I guess I would be canceling my subscription after this. Now I wonder if what they teach about security really is useful or just bullshit!

  • http://reallygreat... Mister T

    really great…
    My facebook account was hacked. And that happend before i got the mail from envato. First i couldnt tell how but now i know.
    You guys fucked it up so hard… its incredible.

  • Steve

    This is bad news indeed. I hope you guys are able to get everything up and running again promptly.

  • Gaz

    Some people really seem to be missing the point of all the frustration and anger here.

    It’s got absolutely nothing to do with being inconvenienced. It’s a matter of trust and respect.

    As many have stated, I use several different unique passwords myself, so changing passwords is not an issue.

    The issue is that there was a known internal and external security risk that wasn’t rectified immediately, exposing peoples sensitive and personal information. This type of thing should not be happening in the year 2012, especially with the known and wildly publicised cyber threats today.

    In the end it simply shows a lack of concern for us as users.

    • Jay

      Yeah – it was a mistake. A pretty bad one. But what do you do after you make a mistake?

      What do you do, Gaz? Or do you not make mistakes?

  • http://overnightpost.co.uk sharpie

    Well, it’s been awhile since the last update.

    I would like to know more about when the site will be back online, what exactly are the new systems in place for password storage, is it another third party company and if so who are they.

    Also, compensation; this is important – to prevent a mass exodus from the premium membership there better be some form of refund of perhaps a free 6 months (min) of access.

    I just went and paid for 1password (mac + iphone) – perhaps Envato can reimburse me this?

    Thanks

  • http://mauromarano.it Mauro

    How the hell you could store passwords in flattext? This is an amateure practice

  • Ignacio

    I am very surprised (well, not really) about people who have seen an opportunity to demand free stuff. I want this or that for free! I want my money back! Ok, you have learned a lot and now you want that all stuff learned for free. “Oh, you are idiots, passwordplainers! Give all of this to me for free!” It gets me angry. I think some people desire this kind of issues to demand something on their own benefit.

    I know there is no excuse for Envato’s bad practices but, c’mon! A bit of seriousness, please.

    • http://overnightpost.co.uk sharpie

      No. The point is the members now have a huge trust issue here and therefore it will take a lot to overcome this. Of course we want our money back! We paid the membership because we believed in the quality of the content whilst entrusting the company with our personal details. This cannot be overstated. This mistake by Envato has greatly inconvenienced a lot of people; that is why they want compensation.

    • Ignacio

      Yes sharpie. ‘We paid the membership because we believed in the quality of the content’. I’m sure we’ll be rewarded, but you think is fair to get your money back?

      Anyway, that’s not the point. The thing is that people see an chance to learn for free. You have learned very important stuff. The point is the attitude.

    • http://overnightpost.co.uk sharpie

      Personal details hacked – yes this is fair and more than enough reason to warrant a refund.

      Learned a lot? What, do you think I should be thanking Envato for teaching me to be more secure? This is so far from the point.

      This is not a chance to learn for free. The compensation to users is a form of punishment and also a gesture of goodwill.

      I aplaude Envato for being open and honest so far but there is a long way to go.

  • Gabor

    Could you please inform us when your premium courses will be available again? It would be good to continue with studies.

    Thanx.

  • Pushparaj

    Started Investigating the consequences of this incident on my personal accounts on other sites.

    a) Searched Google with my Tutsplus Username : pushparaj
    (Glad I didn’t use my full name as the username!)

    b) 10th result on the first page pointing to my Deviantart site..
    http://pushparaj.deviantart.com

    c) Checked my mails from deviantart and found this – http://i48.tinypic.com/2mml2p.jpg

    d) Luckily none of the first 10 pages in Google search is pointing to any of the sites I am registered with as I have not used my full name as username with this site..

    The password reset happened 6 days ago .. that means I guess the hack actually happened a week ago, but the envato people came to know that only yesterday!

    I hope other people can find this helpful, search on google or bing with your Tutsplus username, try to change passwords of all the sites results in atleast first 10 pages / you are registered with!.. Cheers :)

  • James

    I appreciate the honesty. Hope all is well and back up again soon. I have you on my to-do list!

  • Poul

    Well … i don’t remember what password i used to Tuts+, so i guess ill have to change all my passwords on all accounts i use to date …

    Thanks and all hail stupidity !

  • Laegnur

    The use of keys in plain text format on a site like this is a double bad practice. First for safety reasons and second because here you try to teach good practices and this is not a good example.

    Use the same key in high risk sites (emails, payment services, …) and normal sites (forums, pages of tutorials, …) is a worst practice. Create a secure password system is not as difficult. And if you do not want to complicated, you can have multiple passwords according to the risk of the site to use.

    The users who ask for money back, I think it is the largest kidding they could say. The only information that has been compromised here is if you’re registered. If you lose accounts on other sites because they have the same key is your fault, not Envato. The only economic compensation that can be asked is that the days that the site is closed, are added to paid days.

    P.d.: Sorry for my bad english

  • http://www.junwatu.com Eq

    This is not a big problem for me because i have unique password for every account that i have but stores passwords in cleartext??..That’s very unprofessional!!.
    Really appreciate for being honest anyway. Hope tuts+ will get back online soon.

    • http://www.wxs.dk Amino

      I do agree with you about stores password in cleartext. But I love tuts+. I hope they will get back soon.

  • jlennon

    A site that is dedicated to teaching people makes newbie mistakes. Maybe you guys could benefit from some tutorials yourselves.

  • kraft

    I haven’t read all your comments, but as far as I see nobody asks how did hackers access to plain text passwords?

    Did they hack into entire server or what?

    Did they plant any kind of script or append some of existing scripts/applications in order to make back entrance once you rise up you security level?

    Anyhow, I am paying for the knowledge you provide and if anything can turn back my confidence it is more of good back end courses and tutorials.

    P.S. Hope you want fire the guy(s) who made this mistake, because chance of doing the same mistake again is lower then the same mistake done by some new guy :)

  • http://www.bright-site.co.uk David L

    OK So What’s the ETA for getting the site back online?

  • Henry

    Putting something as important as security on the back burner is an unforgivable mistake to make. Making sure significant user details especially passwords were encrypted should have been a “PRIORITY 1″ issue before anything else especially for a high profile site such as Tuts+ Premium. Simply put, you guys knew better but took the gamble nonetheless.

    You’ve learnt that the hard way or rather have been taught a very painful lesson and unfortunately your valued customers are paying the ultimate price for it.

    As unforgivable as this may be, it’s not a unique case. As a developer I’ve come across bad practices like this on even larger more mainstream websites that come about due to developer laziness, lack of security knowledge or even minor oversight.

    Tuts+ Premium is a site with a lot of great content to learn from and still stand by it. You guys made a mistake but hope you have learnt from it. It also has to be said that your honesty with the whole situation is commendable which is probably the biggest reason I’m happy to still support Envato.

    Hope you take the time to get everything sorted correctly and not rush to re-launch. I’m sure your valued customers would be happy to wait slightly longer to use a more secure version rather than a patched quick release.

    *Ps – I just wish I knew which one of the my multiple passwords I use online is the one I used for Tuts+ so I could just change my password on the sites where I use the same password instead of every single site I use :o/

  • Tobias Aberg

    Anything new envato?

    And to the angry people that are spending hours and days changing passwords on 200 sites; you’ve probably been told a hundred times to use secure and unique passwords and you just ignored it? You had it coming…

    • Poul

      I can’t remember 200 different passwords. :(

    • Tobias Aberg

      1Password is a good way of not remembering 200 passwords :)

    • Spyros

      And also a way for a $70 charge to appear on our credit card’s bill.

    • Tobias Aberg

      Well spent dollars, euros or whatever :)

    • Spyros

      Couldn’t agree more, but the point is that website owners should care more about their clients’ security. If the passwords were salted and hashed a leakage wouldn’t be a problem at all. ;)

      But I’m going to purchase 1Password either way, I don’t want to spare yet another afternoon changing password.

  • Pingback: “cloudify” your life – Part Two – Install LastPass « rownet.co.uk()

  • Rob T

    All these negative comments are not helping anything or anybody.

    Envato are not the first company to be storing passwords in plain text, it was just unlucky that they were the ones that got caught out doing it, lesson learned, move on.

    I guarantee that not one person posting these comments can say that they have never made a mistake.

    Personally I am very happy the way Envato have handeld this situation and more importantly they have held their hands up and admitted to being at fault, which is very admirable.

    I think it’s time you started to support the site we have all come to love and stop attacking it because they made a mistake.

    • adrian chen

      The only mistake i made in my life was signing up to envato services. I can not forgive someone who let my house keys outside the house in the pavement for someone to pick up and robs your house, then have someone up the road telling me they were admirable.

    • Allan MacGregor

      Rob,

      Let’s clarify some points:

      – Envato is a company that provides training for developers
      – They have plenty of tutorials and articles talking about security and password hashing
      – They are taking subscriptions and they have a responsibility to protect the users data.
      – They knew about this problem for about 13 months.

      For 13 months they kept quiet about the issue and did nothing, the only reason they are being ‘transparent’ right now is because they got hacked.

      They are not being honest they are protecting their asses against future lawsuits.

      Being negligent and making a mistake is not the same, they knew about the problem and they knew the risk; yet they decided to do nothing.

      Still happy ?

    • Rob T

      Allan,

      I can appreciate your anger and the fact that 13 months is a long time to leave such an important issue un-resolved, especially when user security is involved.

      Don’t get me wrong I also think that if someone cannot handle the responsibility of collecting user data then they shouldn’t be allowed to.

      However, I still believe that Envato is a great site and instead of rubbing salt in the wounds (They should be putting it in the passwords instead! :D) we should be showing a little more support.

    • Allan MacGregor

      Rob,

      You are contradicting yourself, what Envato did is plain and simple negligent; the users entrusted them with their information and cash.

      They know better and should have done better. I’m not angry, but dissapointed and shocked.

      Yes, Envato was a great site; had great content. As for showing support, not going to happen this wasn’t a mistake it was negligence.

  • http://www.annasdesigns.co.uk/ Anna

    Oh woo! I`m thrilled… don`t remember my password I was using here not mentioning the fact where I could use it elsewhere :( What to do now?

  • Pingback: Update on Tuts+ Premium Security Breach | Envato Notes()

  • Michael

    LMAO… funniest comment yet “Encryption is but a speedbump for hackers” you my friend are a tool!

    The exact samething can be said about Passwords using your incredibly awesome logic, so why even use a password in the first place?

    Why? Because everyone (except you) realizes how stupid it is NOT to have passwords and NOT to have encryption, even the simplest encryption is better than having NO encryption that Envato choose to do.

    All these tutorials and articles on just Envato’s sites alone, preaching how important it is to use security and yet Envato choose to store everything in essentially a .txt document for all to see.

    Complete fail on Envato. “amateur hour” for sure!

  • KoE

    This should have never happened. You should have known from the get-go that storing passwords as plain text is a recipe for disaster, an open invitation. In your haste/laziness/questionable motives, you have harmed a lot of users. You wouldnt believe how many people still use the same password for most of their accounts.

    Having said that, I really do admire the way you came out and honestly confessed the way you did. You offer some great, indispensable services and I hope you do all you can about getting back on your feet. Best of luck.

  • Get over it

    They made a mistake, a stupid mistake. But it doesn’t change the fact that this is a great site, and the last thing we want is this great resource to disappear. So stop the bitching and get over it. – they learn a lesson themselves.

    • Brian

      You are a daft prick, you know that?

  • Michael

    Collis – please take a minute and read this article 2 or 3 times over before you ever think about taking anyone else’s money again:

    http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

  • Kris

    Hello Tuts+ team!

    As I read in the comments, Vahid said that “All payments are made via off-site services, so credit card details have not been compromised.”

    But if I have a credit card which is linked to my PayPal account and the PayPal account had the same password as my Tuts+ account, then I am basically screwed ?

    I am asking because I have bought some items from Envato marketplaces through PayPal and the only thing I ever do is enter my PayPal password and the transaction is immediately done.

    So if anyone wants to spend my cash, then he/she needs only my email and password and boom the money is gone ?

    If I’ve already changed the password in PayPal, is it safe now or do I need to worry about something more ?

    Thank You for Your answer,
    Kris

    • Laegnur

      Some post up, they said Tuts-premium and the market are separate sites. So if you are not registered here, you only buy on the market, you are not compromised.

  • Michael

    Storing passwords in plain-text!? Are you serious?

  • Moode

    where i can change my password OMG!!!

  • Sean

    Just having a quick read of the Privacy Policy (http://marketplace.tutsplus.com/legal/privacy)…

    “This Site has security measures in place to protect the loss or misuse of, or alteration or unauthorised access to, information under our control.”

    • Israel

      they just lie straight to your face!

    • http://www.premiumstuff.net Kev

      I do know that if they actually wrote that in the Privacy Policy, and they failed. You can be sued pretty pretty fuck*ng hard.

      That’s the reason I pay thousand of dollars to my lawyer to create a waterproof Terms of Agreement/Privacy Policy.

      Good luck Envato, I hope the best.

  • Tyler

    It’s unfortunate that this has happened but thanks Envato for being honest and transparent throughout the whole process, and most importantly not try to hide your nooby mistake. Most other companies would have made up a story or blamed it on something else to cover for their own errors. We all learn by making mistakes. From the look of it, Envato seem to have learned their lesson and we hope this will never happen again.

  • René

    seriously? cleartext? thanks …

  • Kevin

    Clear text??? Seriously who does this?

  • Tommy

    Clear text? Come on…

    If you were doing that, you may as well sent our compromised password with the mass email so that we know what the password is and if we have it tied to anything else. Not to mention other things identifyable to use (alternate emails, address, secret words/questions) etc. Been a long time since I’ve had to check out my account.

  • Jesper

    Guys! Any chance you could tell me what password I used here? Really need to know, I assume you were on my “trusted” list, but I need to know so I can relax and so I don’t change a ton of passwords when I don’t have too :)

    Cheers

  • http://www.suruha-freespirit.com Su Hall

    Alright! You messed up, it is a major inconvenience and life goes on! We can continue to beat up those responsible, ripping them new ones, or, we can accept their explanation, pull up our boot straps and move forward. There is no sense in kicking a dead horse, eh? It’s done.
    As to whether anyone continues as a member here is another situation. Everyone has the choice of turning away and never returning to Envato. Or, think on it. Hasn’t any one of us made a stupid mistake before? Haven’t we all, at one time or another, done something so dumb? Something that affects others, as well. It’s not a place I like being, but, hey, it does happen.

    I feel that Envato is trying. There is a lot at stake and, despite their piss-poor job at protecting subscribers’ info in the past, what more can they do?

    I feel we should give them a chance. Just ask yourselves, “What if that was me?”

    Thank you for letting me say my piece,

    Su

  • Paul

    What get’s me is that a company like Envato could have handled this so easily. It would have been nothing for them to hash the passwords. They just don’t care about their customers. They don’t care about their devs either. I’ve chatted with some of the devs on the marketplaces, and they say the same thing. I don’t know how to explain it except to say that they must be greedy not to care like that. This incidence is going to cost them a lot more than what it would cost to pay a security tech to handle the job. It’ll be even worse if it goes to court.

    • Mitchel

      If they dont care about there customers why do they say where sorry??
      You are just making a fuzz couse you can..

    • http://www.designbyniall.com Niall

      You said it. And they’re charging people to learn decent web development practices too?

  • Wojtek

    Passwords in clear text. Seriously? I mean I just can not grasp it. I will repeat it again. Passwords in clear text. Seriously!?! I cannot believe that…

  • Mitchel

    I think it is funny that a lot of peeps are talking smack about this. Most of them probably have inherit there skills thanks to envato and are making money becouse of there tutorials and courses.

    I am not going to say that envato couldn`t prevend this but hey they are people to. And they are able to admit they made an error.

    Guys i just wanna end this with a big THANK YOU!!! for all the positive thinks you do. instead of bitching about 1 (big) negative thing.

    (i am dutch so plz dont complain about my gramma)

  • http://benmartinstudios.com.au Ben Martin

    I’m an author over on CodeCanyon, and I can say that I will never be signing up to Tuts+ again after this. It is absolutely despicable that they knew about the issue and did not take immediate action to resolve it. They should have taken the site offline as soon as they found that passwords were stored in plain text.

    These things do happen, and there are consequences. One can wonder, with the absence of a name given, whether this actually was a third party plugin, or whether they screwed up themselves and want to shift the blame.

  • Pingback: Update on Tuts+ Premium Security Breach | Wordpress Themes()

  • Michael

    I just signed up for the free jquery tutorial about a week ago. I do not know if had a premium account or not. Any one know?

  • John Boyed

    Said here “aMember does not store password in plaintext.”

    So what’s going on

    http://www.amember.com/forum/threads/password-on-resend-sign-up-info-is-encrypted.14218/#post-57922

  • Marko

    This was just fucking mindblow?? I would never ever believe that envato, the teacher of security and development could save passwords as plain-text??!!??

    I really think and maybe even wish that this fuckup is end of envato!

    plain-text…. jesus!

    • Aaron Brewer

      No, you can’t wish that on someone. Obviously it was a mistake. Envato provides very good services and marketplaces.

  • Pingback: Mary tut-tuts at Tuts+ Hacking | mary's blog()

  • Tina

    Talk about losing all credibility.
    The staff has known of this vulnerability for more than a year, and has negligently ignored it.

    There is nothing admirable about admitting to a f***up in order to save oneself from a lawsuit.

    The company has been growing greedier and greedier. I am not impressed. I don’t need the service. I will be cancelling my subscription.

  • John

    OMG Plain-text!?

    I’m very disappointed! :(

  • http://www.designbyniall.com Niall

    Plain text? Come on…This is the 21st Century never mind 2012.

    And how are we supposed to change passwords when the site is down?

  • Pingback: Passwords, Password Storage And Password Management | ThoughtStream.new :derick_bailey()

  • Patrick Rebel

    Has everyone forgotten that people can make mistakes? If everything goes well then nobody complains.

    You should support these people.

    • Bill

      Agreed.

      Amazing to see the judgment and lack of forgiveness in these comments.

      Do the vitriolic commenters here spew this much venom governments waging illegal wars or corporations that have been documented to be doing highly illegal and damaging things?

      This comment thread is a very strange commentary on human nature…

  • Pingback: Thoughts on the Tuts+ Breach – Be Your Own Security - Curtis McHale()

  • http://www.trimit.com David Griffiths

    How about a course on web site security?

  • Matt O. Time

    I accept your sincere apology.
    Thanks for beeing constructive.

    • Darren Ryan

      Did you read the full post? They stored the passwords in plain-text!!! This apology is not ok too many people use the same passwords on there paypal accounts and other accounts, now anyone who doesn’t change there passwords are putting them accounts at risk too, it isnt good enough for any website that is taking security details and not encrypting them!!

      They better make this up to there customers who decide to stick around after this fine mess that they made!

    • Matt O. Time

      I did. And they didn’t pay me to say this ;)
      Enough people wrote what the problem was so I didn’t.

  • Chenny

    “SECURITY
    This Site has security measures in place to protect the loss or misuse of, or alteration or unauthorised access to, information under our control.”

    Was all that just BS?

    Let me tell you What you should do right now Envato. When something unacceptable happens like this. You should offer compensation as well as explaining whatever excuses you have . But since you havn’t done that…

    Good bye Envato.

    • ian

      Check the updates link at the top of the page. They have offered some compensation.

  • Aaron Brewer

    The only Envato website in which requires you to pay a recurring amount of money, monthly. Tisk, tisk, tisk.

    http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

  • HCinwanderlust

    Well.
    At leart they are straightforward about their screw up.
    It’s too bad this world is so filled with scum, such as those we need to protect our privacy from.
    Just don’t stay gone too long, Tuts!
    I looove you and what you do!
    Give me more!

  • Robert

    I’m pretty sure that this is against the law no matter which continent you are from.

    The data protection act states that any personal information including payment information and passwords should be stored in a secure encrypted manner

    The fact that the password was clear text means on the ground of negligence Envato could be in for a lot of law suits….

    I for one will not hesitate to offer my legal advisors some work if there is any repercussions come of this.

    Saying sorry for someone hacking them is one thing but being negligent in regards to the safety of personal data is not excusable !!!!!

    • Matt O. Time

      Beeing aware that my person is only one of many…
      I had no damage. It doesn’t even bother me. Their company grants me benefits. That’s ok for me.

      That might be not correct in terms of the law in force. Lawsuits can be expensive though… A lot of hotdogs… But even it was illegal, there are probably rules how to sue. I mean, for example to adress somebody that is reliable, instead of standing in front of the whole company with burning torches. At least this would be useful, wouldn’t it?

  • Anonymous

    You fucked up. Only you’re to blame. I won’t be forgiving you, and no one else should. Plain text? That was a bad decision from the start.

    Get your act together. You run one of the most visited websites on the internet. You should take security seriously.

    I for one will not be using any of your sites again. I had much respect for the owners before this event. Trust at 0%. Respect at 0%.

    Getting hacked is one thing, storing the passwords in plain text is another.

  • http://danielparra.com Daniel

    Well, shit happens… and that’s absolutely understandable, we’re all humans and we can make mistakes.

    Even though I love all the content and skills that I’ve learned thanks to Tuts+, I really think is very irresponsible from your part not to fix an issue that you guys knew about at least a couple a weeks ago. As soon as you knew about it you should have take the site down for maintenance until this issue was fixed.

    For obvios reasons you didn’t want to shut down the site before this, but what now? The site is finally down now (because you couldn’t ignore this any longer) with the HUGE downside that you have a bunch of disappointed members that might not be willing to renew their subscription in the future.

    To be honest is a shame that you guys let this happen, I admire the fact that you notified all members about the security breach, but knowing about this and do nothing… that, I cannot understand… that’s just unacceptable.

    I’ve spent at least an hour or so changing my passwords, good thing that I use an email alias for each online service that I sign up for… that way if I receive junk email later on I know wich service compromised my personal information.

    Anyways, thanks for letting us know about this and hope this can be fixed soon.

    • Jay

      I use an email alias too, for exactly the same reason.

      But seriously – you use the same password? Man, you need to change that big time. Visit lastpass.com

      If you had unique passwords, this wouldn’t have affected you at all. Yeah it’s true that they probably should’ve pulled the site when they realised it could be such a potential problem.

      But LinkedIn got hacked and theirs were encrypted, so nobody is safe. Envato had plans to change, but unfortunately this got them before they could.

      I’m more disappointed in the hackers, than Envato.

  • Leo

    That is gross negligence… and YES IT IS A BIG DEAL. 2 Free months… A month refund… you guys are joking right… even more important someone that pushes their main site with a problem like this, obviously does not know what hey are doing, and cant be expected that people will pay the same site to learn about development.

    You got hacked?? The only thing missing was to have all the passwords in a folder that had public access…

    Good luck going forward.. but I am done.

    • Jay

      I wish them good luck in moving forward too. I’ll be renewing my membership, and continuing to highly recommend Envato and Tuts+.

      They’ve made a big mistake here. But who hasn’t ever made a mistake in their entire life?

      This hasn’t inconvenienced me in the slightest, so it doesn’t affect me at all. I don’t need any special treatment. I don’t even need the two months free. The amount of awesome content Envato have shared for FREE over the years is more than enough compensation.

  • http://www.oozos.com.au winston

    ouch, ouch, ouch. have to change passwords for my 40+ subscriptions. darn. just wondering yesterday why Apple sent me email to confirm if i want to change my password on my account. could have been this one or just my son wanting to purchase minecraft. either way, argh. i want 1 year worth of free stuff from envato! :-P

    • Jay

      Why on earth are you using one password on 40+ sites?

      Ouch, ouch, ouch.

      Visit lastpass.com and fix your own password management problems before you start mouthing off about anyone else. My goodness.

  • Prad

    Can’t believe you guys don’t practice what you preach, simple text passwords?? Are you guys dumb nuts? But at least you did have a courage mentioned, but still guys people would have known what your email meant, this will be big joke on Envato for some time to come!!!

    • Jay

      I’m over it. Envato are seriously great. I have zero affiliation with them, but have used their services from the early days, and I can say that I have immense respect for them.

  • Pedro

    They got hacked, but i didn’t. Changed my passwords, is getting your money back for one month and then getting 2 months free enough for everyone? I would be good with one year.

    • Jay

      I think it’s enough. It hasn’t affected me at all.

  • http://www.latestandhot.com Cybosoft

    I agree with pedro, they should give atleast one full year.

  • curiousEngine

    What the hell?!!!
    Don’t u have security specialists inhouse??

  • Cristian

    Hi! I don’t remember what was the password I used for psdtuts.com. How can I know? Thanks…

  • http://lancashirecaterers.co.uk preston caterers

    WOW just what I was searching for. Came here by searching for blackburn event caterers

  • http://einarolafsson.com einar

    I like that you didn’t try to hide this from us, but this still is a bit unbelievable that this should have been possible. Even if they are able to brake in to your systems it should still be hard for them to get access to peoples passwords.

    The fact that I heard this from you first and not some news source leak is what is still holding on to some trust on my behalf to your organization.

    I just hope someone has the knowledge to track the hacker/s down and post information about them for all of us to see.

    After LinkedIn was hacked I started using LastPass. I just hope that they are know how to keep hackers from they’re systems and my information.

  • Brenda Malone

    I agree with Jay, the Devs made a mistake. Yeah, it inconvenienced me for about an hour, but I have even better security for my online presence because of it.

    Collis was fast and straight-up with the details, and you gotta love a company that has that kind of honesty and transparency.

    The Envato family of tutorials and marketplace items has saved my ass many times and I am a better Web/Graphic Production artist because of them.

    The concessions Collis is offering is fair, and more than what I received from Linkedin a few weeks ago. Some have been suggesting that one year of free membership should have been offered. Okay people, if Envato gives away their stores for a year, they would not be able to subsist and still offer the quality products and tutorials.

    I am with Envato 100% and have missed the courses in the past couple days–I was grooving with Jeffrey Way and PHP–and eagerly await the site going live again.

  • http://maren.com.ar Martin

    Hi guys, 2 days ago I was kind of mad but seeing how you guys told the problem and left these forums open for people to give there opinion makes me remember how much Ive learned and impressed clientes, plus you guys are beeing honest. Hope everything goes ok and we can move on. Good luck !

    • Akos

      I agree, word by word.

      I use different passwords on each site, so I’m not that concerned, however not cool.

      You guys have thought us the biggest lesson by a negative example. Cheers for that!

      Would like to see the site up soon.

  • thecodingdude

    Congratulations Envato, you are the worlds biggest idiots on the planet. A site that teaches you the best practises, that teaches you how to be secure and here you are, storing passwords in plaintext.

    Envato, this is ignorance of the highest order, and you should be ashamed and what you, and you alone, have let happen here today.

    I really don’t know what you’re going to say about this, just shrug it off like you usually do? It’s no lie that you guys are greedy and lazy, the entire community know it. We have told you things to improve and you say “it’s in the pipeline”.

    Well, I guess rebuilding your business and customer faith and trust is the next thing “in the pipeline”.

    Good luck Envato, if Sony is anything to go by, you’re going to have a tough time.

    Fools.

  • http://www.kbphotography.co.za photokirst

    Mistake made, lesson learned. You guys have handled the situation well, any idea when this fantastic site will be up again?

    • http://felixeloso.com Felix

      Seriously the only thing i’m upset about right now is that’s it’s clearly been over 48 hours and I’d really like to start using the services. So can someone that actually works for envato make some kind of announcement about when things will be back online.

  • Brita

    I have a question about the free 2 months. I have been enjoying the free class JQuery in 30 days and was planning on signing up for tuts-premium. Strangely, since I only have 3 lessons left in my class I was going to enroll this week. Timing is everything I guess.

    I understand that things happen but that doesn’t diminish the quality of the instruction you provide. Although I hadn’t signed up and I didn’t have my password compromised, I am missing my daily JQuery class. Can I still get in on the 2 months of free classes you offered above? Do you need proof that I was taking the class? I have the files I created while following along with the lesson.

    Thanks,
    Brita

  • dante1

    Envato
    It would be nice you doing a 30 days course on web security now that you are covering PHP basics, by the way you said the site would be up today and still nothing please confirm when this is gonna happen.

  • Guy

    Thanks for making me change my password to:

    Tuts+,
    Facebook,
    Twitter,
    Amazon,
    PayPal,
    Ebay,
    iTunes,
    My Macbook Pro,
    My PC,
    DropBox,
    and many many more.

    I had a really powerful and meaningful password.

    Was it my fault I used one password for all of them? Perhaps.

    Was it your fault you got hacked? Absolutely.

  • http://davemeyerson.com Dave

    Are there any updates to this situation?

    I have an idea, since this is obviously going to take a bit to get settled, remove the login restriction on the site while you figure it out, open up all your content (minus the free books/intellectual property) to everyone. That way we can still access the content, keep learning and keep the momentum going. Then when you have fixed and tested the security issues, reinstate the authentication and go back to business as usual with whatever refunds you think compensate for the inconvenience.

    People here need to realize that the real power of Tuts+ is the content; it’s the people that work tirelessly to create these tutorials and courses. It’s unfair to lump them into this situation by removing access.

    Granted it could have and SHOULD have been avoided in the first place, but failure is simply an opportunity to learn and move on. Everyone here should realize one fundamental thing about doing business online: NOTHING, and I mean NOTHING is 100% secure. Sure you can do a lot to mitigate issues like this, but there is always going to be someone who can get around it.

    Just my 2-cents.

    -Dave

  • http://votainformado.mx Fernando Romero Tirado

    It’s been over 48 hours (I think) when will the service be up again?

  • Mark

    Sadly, I’m not surprised.

    I don’t even come here anymore. I loved the dashboard – quickly could see all the new tutorials at a glance. That’s gone. And checking each individual site to find out which ones had reposted old tutorials as new – lost interest in a hurry.

    I only came back because of this email. And….I’m amused.

    I program. That means – I program. I don’t consider you a developer if you’re using plugins. I don’t mind use of code snippets, but if you develop – DEVELOP. I keep reading that Envato has a huge staff of developers. So what are they doing? You don’t need *any* developers if you are going to use plugins.

    I trained my mom – retired and in her late 60’s – how do put together a site in WordPress and use plugins, so I could pass along such jobs to her and concentrate my work efforts on actual development. That’s not development, I’m sorry. It’s chimpwork (sorry, mom!).

    To Jay, John and Pippen (a.k.a. Team Brownnose), believe me, your kissing-up efforts are way more irritating than the negativity and complaints. The complainers complain once, and move on. You guys keep repeating your suck ups over and over. You tell the complainers to get over it and move on – follow your own advice?

    If you are tired of the negative complaints, here’s a novel idea. Close the browser? Aliens aren’t channeling the negativity into your brains with microwave (so you can remove the tinfoil hats). You have to make the effort to see them. Stop looking, and you will be free! You don’t need Moses to lead you out of the Desert of Negativity – just click the ‘x’ in the top right corner.

    If you’re using the same passwords around the net – ya, you’ve helped a bad thing get worse. But the “mistakes happen” line from Team Brownnose doesn’t fly.

    January of LAST year, they published an article on password storage and security. (look at the date on the first comment, not the re-crafted publish date for the article)

    Summer of LAST year, they were made aware there was a problem.

    December of LAST year, the company that makes the bad plugin patched it.

    So these developers had over a year to fix the problem. They had 6 months to install an upgrade – no development even needed, someone else did the work for them. Had they wished to learn it and actually play Real Developers for a few days, they could have read the tutorial from this site.

    It’s a mistake if you put your face in a meat grinder and didn’t know it would turn you into sausage. It’s not a mistake if you read the manual, and the warning label, and removed the plastic guard to keep you from putting your face in the grinder.

    It’s just stupid.

  • Jimmy

    Hello yesterday and today I was looking at this site with respect to purchasing quite a few downloadable after effects tutorials from the marketplace.

    I read and know that you say it was/is not effected, yet in the same breath you also say this breach is basically your fault as you knew about the security flaws in your system, and were going to fix them, although no time frame was ever given, nor how long you’ve been operating like this.

    Since you knew about these security flaws, and did not address them, I realistically cant accept ‘on faith’ that the other sites you own and operate are/have not also been accessed illegally.

    I cant in all good faith purchase anything from you because of the very statements you have said.

    It’s a shame that you were negligent in this issue, as not only does it effect many current users, it effects the faith of new ones like me. Who to be honest will look elsewhere for their educational material. In fact I am already doing this.

    Your consistent in action certainly adds (and is clearly true) to the general belief that it’s the companies that are solely responsible, willfully negligent and that it is not safe to purchase anything over the web.

    This is not my real email address, I think given the circumstances to give that here would be fool hardy.

    Technically it’s not a difficult matter at all to address to ‘come up to standards’ with acceptable and required security implementations, what is, is the faith that people have lost in you.

    I don’t know how you’ll ever recover that. But I do wish you the best in trying.

  • Jorge

    Passwords in plain text? You kidding?! … unbelievable.

    Sorry Envato, there is NO excuse for that.

    The value of my Premium subscription is gone with such a mess :-/

  • http://www.superdesigngirl.com Katherine Hambley

    Thanks for being honest with all of us. I’m sure people will try to capitalize on all this and expect something for free. I don’t, it wasn’t your fault that there is evil people in the world who lie, cheat, and steal. You provide a great service and I hope this doesn’t distract from the great educational service you provide. Don’t beat yourself up too much, you’ll live to see another day, and a little wiser too. :)

  • Pingback: WP Late Night #15: "Pixels don't matter" | WPCandy()

  • Gemma W.

    a) Envato should have used best practices right from the start.

    b) Everyone knows about hackers so the responsibility lies with all three camps.

    c) If you didn’t use an unique password for this Tuts+ Premium then you only have yourself to blame if anything bad arises from this. Don’t be a fool and use unique passwords.

    d) Be grateful financial info wasn’t stored on Envato’s servers.

    e) Everyone makes mistakes, but not everyone has the balls to apologise publicly knowing they’re likely to cop a lot of heat.

  • Pingback: Jami Gibbs, Envato Security, Tablets and Prometheus | PleaseAdvise.fm()

  • http://www.hacksoft.com.pe/ TheHack3r

    @Envato
    Rather than go through more hassle of refunding 1 month +
    2 months free, Just unlock all tutorials for 6 months for all existing users + new signups should avail of 3 free months.
    …………………………………………………………………………
    @Jay, John and Pippen (a.k.a. Team Brownnose)
    as the name was stated earlier by a fellow poster,
    I am not asking anything of you so please be silent.

  • Pingback: wp-coder.net » WP Late Night #15: “Pixels don’t matter”()

  • Pingback: FreelanceSwitch Job Board / Forums Passwords Reset()

  • Pingback: FreelanceSwitch Job Board / Forums Passwords Reset | My Creative Directory()

  • Pingback: WP Late Night #15: “Pixels don’t matter”()

  • Pingback: Tuts+ Premium Back Live and Patched | Envato Notes()

  • Pingback: Per-User Password Hashing Algorithms - Thomas Hunter - Web Development Tutorials and Personal Opinions()

  • Mark Rivera

    Well, finally everything went back to normal.
    Thanks for the hardwork Envato team and none of my credentials were taken or lost by this serious mistake.

    To all those haters, Envato team didn’t wanted this in-fact they informed you/us in a timely-manner to avoid serious damage to your account.

    If they are going to let this happen for us, Envato will be in a big scandal, for sure they don’t let that happen.

    Think about it haters…
    Hackers will be hackers, and they are already laughing to Envato team.

    • Ryan

      This has nothing to do with ‘haters’. It’s simple negligence. A security hole was known about for over a year and nothing was done about it.

      Hacking is hacking, you’re right on that. Anyone is open to an attack, regardless of security. However, the issue is that no encryption was in place.

      So, while I appreciate your desire to support Envato…you clearly don’t understand the issue if you think this is just about ‘haters’

    • Mark Rivera

      I do understand your point sir. However, many of us here are starting to hate Envato security system and knowing that our important information are saved / kept in a simple plain text which ALL of us clearly don’t understand why… correct?

      Why we are all here in this site? WE have the same purposes and in return we get good benefits… Now, this is the reason why we get mad, because of our benefits turn to bad by simple negligence of their team and so on…

      I am also in this industry, have clients that got hacked their sites, they get mad, sad and upset to our services. Of course, we will do our best to fix it right away. Just like Envato did.

  • http://n/a Fabrice Noel

    I will like to thank Envato team to inform me about the problem.

    How do i reset my password !

  • Pingback: WP Late Night #15: “Pixels don’t matter” | Web Designer Bacolod City | Ricky Noel Diancin Jr. Webmaster | Wordpress Expert()

  • Pingback: BlogBuzz June 30, 2012()

  • http://www.dakotatimmons.com Dakota

    I am just as upset. I’m sorry but I learn Web Development tutorials from you guys and yet you don’t hash your sensitive information. Odd.

  • Nenad Pantic

    This is an catasthrophic event, i am thinking where else i used a pass which i used on my tuts account.

    It will be more and more harder to control things around web, as services grow more and more dependant on anyother.

    As for now, i am trying to reset my pass with netuts, but im not receiving auth link, even not in spam folder.

    • John

      Never use two of the same passwords on the web. Use lastpass.com

  • Ryan

    Envato has breached their own Privacy Policy:

    “SECURITY

    This Site has security measures in place to protect the loss or misuse of, or alteration or unauthorised access to, information under our control.”

    Loss of member details is one thing, but storing un-encrypted passwords is so fundamentally wrong.

    It’s like a bank keeping all their customers money on the front counter rather than in a safe. So when the crims break in through the back door, it’s all there ready for the taking.

    There will be financial and security issues for some members following this. Envato is liable for every one of them (regardless of whether or not an individual should have used the same email/password combination elsewhere). The fact is Envato served up these details on a plate, sitting on the front counter when the crims broke through the back door.

  • Mike Mitchell

    So is the “reset password” function working for anyone else?

    I have tried to reset my password and never get the e-mail with directions on how to do it.

    I do (quickly) get e-mails for the Support Ticket I submitted about this issue. Nothing is caught in my SPAM filter either.

    Sounds to me like Envato still doesn’t quite have it’s act together here…

  • Pingback: FreelanceSwitch Job Board / Forums Passwords Reset | Web Designer Bacolod City | Ricky Noel Diancin Jr. Webmaster | Wordpress Expert()

  • http://- Tuts user

    OMG. clear text passwords? wow. I have no words to describe the shit storm you guys are now facing! lmfao seriously, who stores passwords in cleartext? that is a noob mistake.

    To all the people who signed up to premium, I am sorry for your losses.

    Can anyone suggest a good alternative to this rooky site?

  • Pingback: Free Access on Tuts+ Premium | Envato Notes()

  • http://www.marchhousedesign.com chris

    Top marks for your response. I recently changes my email policy for all my logins so they are unique to each site.

  • Pingback: It’s Time to Secure Yourself Online | CreativeDojo()

  • Jonathan

    I canno believe it! Best practices? Clear text? Holy cow, i am so upset.