Important Update On Account Security

 98   Tweet

Last month when the Heartbleed bug came to light, we immediately patched the exploit, and notified users via Notes, forums, and email newsletters, explaining Envato’s response and advising all Envato users to change their password.

Since then we’ve been tracking the number of password updates on our system and while it’s good to see some of the community being proactive about their security there’s still a large number of users who have not yet updated their details.

Along with the Heartbleed exploit, the last year also saw the highly public Adobe leak of user account details. These and similar security incidents have led to an increase in attempts to use leaked lists to find people with weak or repeated account details. In recent months, both prior and since Heartbleed, we’ve seen an uptick in these sorts of access attempts on the Envato userbase. While we deal with vulnerabilities and incidents quickly and aggressively, the most effective action is always a complex and unique password choice. That is why we feel it is now necessary to require all users to change their password if they have not already done so.

Required Password Reset

If you have not updated your password since the Heartbleed exploit patch at 06:42am on 8th April 2014 UTC and you are currently logged in to an Envato site, you will be logged out and required to reset your password before you can continue to use the site. If you are not currently logged in the change will be required when you next log in.

You will need to use a brand new password. Because we have much stronger password requirements than in previous years, this will simultaneously require all our users to increase their password strength.

I’d like to apologize for the inconvenience today’s measure will cause, but the security of all our member’s accounts has to be our first priority. Please review the FAQs below for more detailed information.

Frequently Asked Questions

When will this happen and what should I expect?
Please note: This information applies only to people who have not changed their password since 06:42am 8th April 2014 UTC.

The password change requirement went live at 12:00pm AEST. If you were currently logged in to an Envato site, you will have been logged out in order to ensure the required password change occurs. We apologize for this inconvenience.

Do you have any tips on how to make my password strong and secure?
Yes! We strongly advise the following:

  • change your password to a unique, complex password that cannot be easily guessed. Consider using a password generator to assist
  • do not use a password that has been used previously on any Envato site or any other external site
  • store your password securely. Consider using a password manager like 1Password, Password Genie 4.0, LastPass or Dashlane

We also have a great article about using your account securely.

If I have changed my password recently will I be required to change again?
No. If you changed your password after 06:42am 8th April 2014 UTC, you will not be required to change your password again.

Oh no! I got locked out of my account – what should I do?
We can help you! Please email accountsecurity@envato.com.

I no longer have access to my original account email address and can’t complete the password change. What can I do?
We can help you! Please email accountsecurity@envato.com.

What happens if my account is compromised?
If you suspect your account has been compromised, particularly if you notice unauthorized purchases made to your account, please email accountsecurity@envato.com. We are on hand to assist you.

Which Envato sites does this affect?
All our Marketplaces – ThemeForest, CodeCanyon, ActiveDen, 3DOcean, AudioJungle, GraphicRiver, PhotoDune, and VideoHive. And Envato Studio.

How many accounts have been affected?
Apart from users who have signed up or changed their password since the Heartbleed Patch 06:42am 8th April 2014 UTC, all users are now required to change their passwords.

Are there any future security updates planned for the Envato Marketplaces?
This year we have been ramping up our commitment to security with a dedicated security team, a Helpful Hacker program, and by taking a more proactive approach with users as we are doing today. We will continue to share news of these and similar initiatives as they are launched.

I am getting an error message saying that the URL has expired or I have an invalid token. What should I do?
1: You may have accidentally requested more than one password reset, so there might be another email in your inbox with another link you could try.
2: Try copying and pasting the link into your browser as some email programs can incorrectly wrap or otherwise break the URL or link we emailed you.
3: Try signing in. You may have already successfully changed your password. There’s no harm in trying to sign-in.
4: If you still have no luck please contact us at accountsecurity@envato.com

I have not received my password reset email. What should I do?
1: We may be sending out a lot of emails so please allow upto an hour for the e-mail to come through.
2: Have you checked your Spam Folder?
3: Request another reset of your password directly through this page: https://account.envato.com/password_resets/new
4: If you still have no luck please contact us at accountsecurity@envato.com

 

  • http://audiojungle.net/user/KuklinStudioMusic Konstantin

    CooL :)

  • http://audiojungle.net/user/KuklinStudioMusic Konstantin

    CooL !

  • Asif Zaman

    Thanks For Info & Account Security :D

  • Vitaliy

    Thanks gyus for info!

  • http://www.bnnoor.com behzad

    i hope force user choice number and alphabet :)

  • Hidden

    That BS! If I want my old password then let me have my old password! It’s not your concearn what password I want or if I want it changed!

    • http://audiojungle.net/user/IsaacA Isaac

      They’re just trying to help you. And it’s for your own good as well. Keeping your old password makes you vulnerable and prone to attacks. It’s up to you.

  • http://serverthemes.net/ Vu Luu

    Thanks for infomation. I will change my password

  • Charbel El Haddad

    Many Thanks for your News and we will update it :D

  • http://damayar.ir/ damayar

    My Account was hacked last week.
    I reset my password , hackerd does’t changed my Email.

    • http://superblog.co/ Pat

      Hopefully you picked a much stronger password this time! ;)

  • http://www.businessidentity.graphics Hadi Prasetyo

    Thank you!!!

  • http://www.webleadia.com Lea

    First time I am hearing about this, Envato. I log in pretty frequently as well, and you have my email address too to inform me. And I am on your facebook – how have I missed this?

    • Dan Michael

      Thanks for your patience on this one. We’re getting to everyone we can!

  • Hidden

    This is kind of funny. Being worried about the heart bleed bug, and have no https (only on login)?

    Cookies are being sent as plain text over the network. Why would ever anybody would try to break into an account exploiting the heart bleed bug, if that person can just grab a cookie and get in?

    • Dan Michael

      We’re doing the best we can given the seriousness of the situation Hidden :/

  • Mahade Hasan

    Good Security :(

  • Randal

    Great article Collis. Maybe you could add Sticky Password to the list of mentioned password managers? I use it for a long time and it is a great solution.

    • Dan Michael

      Will pass that along, thanks!

    • Randal

      Thanks, appreciate that. And good luck with this trouble, Heartbleed hurt everyone..

  • http://qass.im Qassim Hassan

    Thanks Mr.Collis

  • http://medesdesign.com Arash

    Thanks for the information. I hope everyone will do it soon :)

  • http://www.mycodepartner.com/ Akhil K A

    Thanks for the update. Password changed!

  • andrei

    im user livingroomClassics and for the last week or maybe more i havent been receiving any mails from envato when my items were approved or rejected.

    thats not that bad, though its not normal,
    but the bad thing is that i relogged into my account
    some hours ago and it said i had to change my password
    and that a mail was sent to me with a link to reset password.

    since i cant receive mails from you, that mail
    hasnt arrived and i cant log into my account again.

    i suspect im being sanctioned for something.

    also, i suspect that if you reply to my mail address, i wownt get the message.

    am i being banned? if so, shouldnt i be told before??

    • Dan Michael

      HI Andrei – there is a serious amount of work going on and it may take some time to get to everyone, we appreciate your patience on this one.

      You can also reach our dedicated email support for this here: accountsecurity@envato.com

      Hope that helps!

  • Monteyne

    When did you patch ssl ? i changed my password ten days ago, still have to change my password?

    • Dan Michael

      There is info within the post on this Monteyne:

      “If you have not updated your password since the Heartbleed exploit patch at 06:42am on 8th April 2014 UTC and you are currently logged in to an Envato site, you will be logged out and required to reset your password before you can continue to use the site. If you are not currently logged in the change will be required when you next log in.”

  • http://brantlegh.co.uk/it manchester

    This is a headache. If I have to change my password, Please make it easy to retrieve, when I inevitably forget it!

    • Dan Michael

      Easy to retrieve, sounds like easy to hack to me!

      We will do the best we can in this situation manchester :)

  • WPWiseOwl

    Using a username / password alone has never been enough these days as you probably already know. The increased complexity of the password only helps so much.

    I asked for the “option” (not requirement) of being able to use two factor authentication back when the plain text password storage issue was discovered but maybe finally now after heartbleed that request will finally see some traction?

    • Dan Michael

      Hopefully soon! It is certainly on our minds for our communities peace of mind!

  • http://tinydesignr.com sam

    Thanks gyus for infomation. I will change my password!

  • bgton

    I want my old password then let me have my old password! It’s not your concearn what password I want or if I want it changed!

  • Ana

    Thank you.
    But I’ve not received any email.
    I’m gonna reset my password!

    • Dan Michael

      It may take some time to reach everyone, thank you for your patience and yes please do!
      :)

  • http://notupyet June

    I have just purchased Expressions, I have the purchase code, you guys have my user name listed, however, when I try to reset my password (I forgot it, so would be changing it anyway) I get the answer that my user name is not listed with you guys. I am caught in a vicious cycle.

    I want in!
    I have questions.

    what to do?

    Please email me some way to reset my password….thanks

    • Dan Michael

      Oh noes! We can help!

      Sounds like a typo maybe?

      Please email accountsecurity@envato.com for help with your password reset.

  • http://www.emblogger.com/ Jaiser

    Thanks for update, just changed my profile password to secure from any risk :)

  • https://facebook.com/grlivelyman এম.আই মুন্না

    change ☺ ☼

  • Juan

    Changed my password, and after then my balance is $0.00 and before that my balance was $11.00 Something happened

    • Dan Michael

      Uh-oh… something happened indeed!

      Please email accountsecurity@envato.com for help with account your balance, I am confident we can sort this out.

  • http://www.kadrlike.ru Vladimir Pavlychev

    Thanks for info, crazy hackers so stronger…

  • Jeff

    Not receiving the email, nor any reply from support – come on guys get back with me I have things to buy – don’t push away customers.

    • Dan Michael

      We have no intentions of pushing you away Jeff!

      We have a dedicated email setup for help with this issue: accountsecurity@envato.com

      We appreciate your patience on this one, and apologies for the delay.

  • http://www.best8fitness.com/ Fitness Motivation

    THANKS!

  • Diana

    I have tried to reset my password all today and I have not gotten a reset email in my inbox nor my spam folder. What the HECK. I don’t mind reseting my password but if you say you are going to send me an email and you don’t I get a little aggravated. Seriously? I spend a lot of money with you guys. At least you can do is send me an email or something. Not happy customer.!

    • Dan Michael

      I do apologise Diana! As you can imagine this situation has increased our normal workload quite a bit :/

      Sorry for the delay, please email accountsecurity@envato.com for help with your password reset.

  • http://blogerr.net/ Michelle

    Thanks for the update, Collis!

  • http://www.wpdil.com/ mustufa lodha

    Thanks for this information…

  • http://www.bookpanorama.com/id/hotel/detail/yogyakarta/hotel-santika-premiere-jogja/?utm_source=ealdrian&utm_medium=gsa&utm_campaign=hotelname Veta

    Thank you for sharing your info. I truly appreciate your efforts and I am waiting for your next
    post thank you once again.

  • vbizsoft

    Hello,

    We are very much disappointed with your ticket system for us 3 days are gone and we don’t have any reply then i send few emails and still no answer.

    We have a corporate account with you and purchased many themes, graphics, codes etc as paypal don’t exists in our country we normally request our clients to fillup credits so we can purchase themes etc

    3 days ago we request one of our client to make $100 deposit so we can purchase more themes he did it after that our account automatically disabled we contacted our client to check his email but unfortunately he don’t use that email address anymore as that email was provided by some of his local ISP we cannot followup with that email and restore our account.

    We have requested envato to restore our account access so we can download the updates and if they think its not correct they can refund that amount and we request our client to repay again with his credit card.

    Because of this all situation our 3/4 projects goes delays client is asking we feel very bad and losing face.

    There are no phone numbers to call in or any other place to contact envato directly.

    I hope Mr. Collis will comeup with some solution.

    Thank you,

    • Noel

      Hey vbizsoft,

      This is Noel from Envato Support.

      I’d really love to help you with your issue. Would you be able to provide me with the ticket reference for your ticket?

      I’m sure we’ll be able to sort this out for you.

      ^Noel

    • vbizsoft

      Hello Noel,

      Thanks for your email i replied to you ticket id i hope this problem will be solved today we are very much under pressure

      Thanks,
      RH

    • vbizsoft

      Dear Noel,

      Thanks for your help and support my account is back to normal.

      Thank you again

      RH

    • Noel

      You’re welcome :)

      I’m glad I could help!

  • kdubdent

    Hi guys,

    We appreciate that many community members will have questions and feedback about security measures and we welcome the involvement via our Helpful Hacker program. We practise responsible disclosure which means we do not discuss the details of security vulnerabilities on public forums such as these. We aim to report back to the community & recognise the Helpful Hacker program after a vulnerability has been rectified.

    We always put our community first and have a team dedicated to working on preventing, detecting and responding to security threats. We always have, and will continue to release and improve security related features. Some changes will be obvious to you (like this password reset initiative) and others will be “under the hood” changes. This is an ongoing part of operations at Envato.

    The involvement and attention paid to this matter has been fantastic. We need your participation to make this work so it’s encouraging to see so many comments when we make these types of announcements!

    – Kelly

  • Kenneth Ewards

    How many times in one week do we have to change our password?

    As required, I changed my old password 3 days ago, now, today, I am required to change it again so your website says.

    Please tell me this is a mistake. My new password (3 days old) is longer and stronger, and I wish to keep it, but it appears I am locked out until I change my “new” password again for the 3rd time!

    • http://Envato.com Sarah

      Hi Kenneth,

      This is Sarah from Envato Support.

      It could be a glitch with the system, have you opened a ticket with us?

      If not, would you mind doing so and letting me know the ticket number here?

      One of our Support Staff would be happy to look into this further.

      ^Sarah

    • http://Itseemsthateverythingisfixed. Kenneth Ewards

      Thank you for your help. It appears that all is well again.

      ; )

  • Dominic

    Two full days with no replies or follow-up… I had to create a new account to purchase the theme I needed.

    Not a happy camper.

    • Noel

      Hey Dominic,

      I’m sorry to hear you had to open another. Can you please let me know what the ticket reference is? I’ll take a look at it for you.

      Thanks

      ^Noel

    • Dominic

      Voila
      ZOW-629-87526

    • Noel

      Thanks Dominic,

      I have taken a look at your account and have sent you a reply asking for a little bit more information.

      Can you please reply to the email I had sent you (instead of posting here)?

      Thanks

      ^Noel

  • ep_comm

    I have try to reset my password but no emails were sent to my email. I have check my junk mail as well. I tried to create a ticket but the captcha image have a broken link. I even tried a few other browsers. It is troublesome that I have no other way to contact your support centre. I could not even submit a ticket because I could not even see the captcha.

    I am now way behind deadline with my projects and need some resources to speed it up. Please help mee!!!

    • ep_comm

      Ok just found the email address. I have send an email to account security too.

    • http://Envato.com Sarah

      Hi ep_comm,

      I’m Sarah From Envato Support.

      I’m happy to hear you found the email address, can you let me know the ticket ID in reply here? I’d like to make sure you don’t need anything further.

      ^Sarah

  • selmark

    I’m very much disappointed also like other members with your ticket system and support for last 4 days. I don’t have any reply then I sent few emails and opened few tickets and still no answer.

    • http://Envato.com Sarah

      Hi Selmark,

      I’m Sarah from Support. Does your username happen to be the same as your name here?

      If so, we have sent quite a few replies out. Just to double check, can you give me one of the ticket IDs you have sent in to us?

      Simply reply to this email and I’ll do my best to make sure you are taken care of ASAP.

      ^Sarah

  • http://mynewtechnologies.com Myrin New

    All this password security stuff would be nice, if Envato could send email reset instructions. I can’t access my site, with all my digital works I’ve purchased. Sent in 3 help desk tickets, no response. Tried troubleshooter several times. Looked in knowledge base, no help. I spent my money on files and can’t access them. This sucks!

  • Michael Sables

    I am totally locked out of my account. The reset password link does not work and does not send my a password reset email. I have had no replies to my support ticket. I have just put money in my account and have spent a lot of money with envato. I cannot access anything. This is not on! Last comment I made was deleted. Come on guys I though you were a professional business? Why do i feel like iv been scammed?

  • Michael Sables

    I still cannot access my files or credits. The login asks me to reset password but I am not getting the password reset email.

    I have sent support requests with no reply. If I do not have access to my files and funds I will have to start a paypal dispute for all the deposits I have made!

    This is outrageous! And no one from envato has spoke to my yet to explain why they wont let me access my account.

    Does anyone know of a similar service I can use to replace envato for stock illustrations, photos and templates?

    • http://envato.com Adrian Try

      Hi Michael. I’m sorry to hear about your problems, and understand your frustration. The quickest way to get help with resetting your password is to email accountsecurity@envato.com. Please let me know how you go.

    • Gordon Atkinson

      I sent email there. Twice. No one ever writes back.

      still waiting.

      You guys have about two dozen themes that I bought through you. I need access to them.

      user name consafo

  • Gordon Atkinson

    I have no problem changing my password. Happy to do it. But I tried to do so two days ago and can’t get the system to email me the reset link. Have put a number of tickets in on this. No response.

    Been a customer for a number of years. Have purchased something like 30 themes. I need to be able to get to my theme downloads. This is getting fairly desperate. Please have someone respond to me. User name is consafo.

    • http://envato.com Adrian Try

      Hi Gordon. Sorry to hear about your problems. Please email accountsecurity@envato.com for help with your password reset.

    • Gordon Atkinson

      Just sent the email. Hope to hear something soon. I’m going on 4 days without access to my theme collection.

      Gordon

    • http://envato.com Adrian Try

      Thanks for the update, Gordon. Hope you hear soon. :)

    • Gordon Atkinson

      24 hours have gone by. I’ve heard nothing. I’m beginning to wonder if there is a problem with email. Will you check and make sure my requests have even arrived?

      This is the problem with a communication system that doesn’t even have an auto respond to assure you the message went through.

    • Gordon Atkinson

      Another day has gone by. I’ve heard nothing. All I need is a password reset link sent to me.

      I’ve heard nothing.

      Are you guys actually in business?

    • Gordon Atkinson

      Another day. It’s now been a week. The only problem I have is that your password reset emails do not arrive.

      All anyone would need to do is send me an email to the email address in this comment. My user name is consafo. You can see my purchases for that user name.

      And the email for this comment matches the one for that account.

      Why is no one responding?

  • http://euro-pacific.com David

    I tried to reset my password, but there is no way to do it. Idiots!!! My guess is that they took advice from Adobe on how to handle hack control. Screw the customer!!

    If you are going to require every customer to update their password, then make sure that your system has the ability to handle it – time to fire your head of IT. That’s where the problem started by not having a secure server to start with, and then to mess up the password resets…….

    • Noel

      Hey David,

      This is Noel from Envato Support.

      Would you be able to give me your Marketplace username, please?

      ^Noel

    • Gordon Atkinson

      Noel, I need the same thing. User name is consafo.

  • http://www.surgecenter.com Young

    My ticket number is: #WBY-894-50604

    When I tried logging in earlier yesterday, there was a notice stating something about changing passwords due to the heartbeat bug/virus. I never received an email and contacted envato support directly.

    Now, When trying to sign in normally, your system posts this message “Incorrect username or password” and I no longer see the ‘heartbeat’ notice.

    I am NOT receiving any reset emails and it’s been nearly 2 days now. When I try to reset my password, your site keeps telling me that it could not find a registered user with the username/email address – hence I can not even request a password reset.

    This is beyond frustrating! And the response time for something as simple as resetting my password is ludicrous.

    I need to access my purchased files for a project deadline that is just 24 hours away!!!!

    My ticket number is: #WBY-894-50604 and i received a response from Jason stating that my email was blacklisted, but I can not login, nor can I reset my password. Your system states that my email or username does not exist.

    I have hundreds of dollars in purchased themes, scripts, and credits on my account, and opening a new account is not an option.

    Please help!!!

  • Gordon Atkinson

    At this point don’t you think it would be appropriate for Envato to issue some kind of statement at notes.envato.com?

    No response or admission that there is an issue makes us wonder. Is anyone every going to get our accounts running?

    If someone said, “We’ve had a technical problem with password resetting. We’re getting to all the requests for help, but it’s taking some time” at least we’d know we’re in a help queue.

    I’m also reaching the place of exploring other theme marketplaces out there.

  • Susan

    Hi
    I try to send email to accountsecurity@envato.com to reactivate my account but unsuccessful.
    “Error
    The email address “accountsecurity@envato.com.” is not recognized. Please fix it and try again.”
    Do you help any other email that I can send to?
    Thank you
    Susan

    • Noel

      Hey Susan,

      Sorry to hear about the issues you’ve come across. I’m not sure why your email isn’t going through.

      You can submit a ticket here http://enva.to/LpAJIA and make sure you select the Account Security option http://envato.d.pr/bDAY

      Please let me know how you go.

      ^Noel

  • Gordon Atkinson

    Let’s try something new. Been trying to get a password reset email for almost a week.

    Someone email me at the email on this comment. Let me know here that you sent it, and let’s see if you are sending emails and I’m just not getting them.

  • Gordon Atkinson

    Latest ticket I submitted to support.envato.com

    #WXS-537-52597

    waiting

    • Noel

      Hey Gordon,

      It looks like we sent through another password reset email. Have you received it and been able to reset your password?

      Please let me know.

      ^Noel

    • Gordon Atkinson

      First of all Noel, thank you for responding. I appreciate that. hearing something is comforting.

      Have not received anything. I use gmail to check the email address in this comment, which is the one tied to my account.

      I’ve searched spam for “envato” and found nothing.

      I have other email addresses we could use. I’m wondering if we’re looking at some kind of problem getting mail to my address. I don’t know why that would be, but at this point I’ll try anything. I VERY much need access to my account. Client issues are hurting my business because of this.

    • Gordon Atkinson

      I heard from Charlotte K. just now. So hopefully we’ll get this straightened out.

      gordon

  • http://www.antsmagazine.com nahid29

    I sent a reply long back but still no reply, again I sent today. Please resolve my issue

    • Steve_CakeFree

      Hey Nahid,

      Could I get your ticket ID to help us look into this further for you.

      Thanks

      ^Steve

  • Gordon Atkinson

    Kudos to Charlotte K, who contacted me from her personal email. For some reason, your password resets were being sent but not arriving. NOT in spam filter. I checked that multiple times.

    I appreciate Charlotte’s help and got the issue resolved. Password successfully reset.

  • Alex

    Hi, we have been trying to do a password reset since 14th may when the email warning was sent out.

    Almost 2 weeks without access and now we have serious problems with clients software out of date.

    No reply from the accountsecurity@envato.com email address for at least 5 working days?

    Please help!!!

    • Steve_CakeFree

      Hey Alex,

      Sorry to read that. Could you let us know your ticket ID and I’ll look into it for you.

      Cheers

      ^Steve

  • kdubdent

    Hi all,

    Thanks so much for all your attention to this topic. It’s great to have your co operation on something like this!

    If you have any other questions about this please contact us at accountsecurity@envato.com

    Thanks :)
    Kelly