Tuts+ Premium Downtime Update

 65   Tweet

Note: This post hasn't been updated in over 2 years.

Yesterday I posted up about the patch we’re working on to bring back the Tuts+ Premium service with better security measures, as well as our other responses to the situation, including a one month refund and two months free access.

The fixes I outlined in previous posts have been completed, and tested by our development team. Although we are pretty much ready to go live, I am erring on the side of caution and we will be doing another day of extensive testing. I realize this is an inconvenience for those of you waiting for the site to go back online, however, it is important to all of us to take the extra time and do it right. Thank you for your patience in the meantime, we really appreciate it.

  • Pingback: Update on Tuts+ Premium Security Breach | Envato Notes()

  • Ritvik

    Guys just don’t pressurize yourselves just take your time and please set things right once again !

  • Alejandro Reyes

    It’s good to see that you are coming clear with us and reporting back everyday. That shows you are good guys and it was just a mistake.

    After all we all make mistakes, sometimes small and sometimes big, but taking responsibility is what makes people stand out.

    Hope we can get back to learning, I was enjoying the Javascript course. πŸ™‚

    • Rashidul Islam


  • Josh

    Hey guys,
    Great to see you’ve got the problem isolated and close to resolution. Despite the anger and inconvenience, I’m genuinely impressed with the level of transparency and honestly you’ve displayed.

    In the long run, I think (hope) this’ll work in your favor. I’d much rather do business with an organization that takes responsibility for their mistakes, keeps their customers informed, and gives fair warning in the wake of a security compromise.

    Plus, unlike other sites, you’ve taken it upon yourselves to recognize the impact of this mistake and offer some reparations to your users. I think you learn a lot about an organization when it’s under pressure. So, for what it’s worth, my faith has been restored (and improved).

    Looking forward to finishing up a few of your Premium courses. Best of luck with the restore!


    Just kidding – I got brainwashed by all the negativity on the ‘main’ post about this. πŸ™‚

    Have a casual Melbourne meet-up – you probably need a beer after the last few days (I’ll even buy one for you and Vahid).

  • Gabor

    Thank you for your update. I really appreciate your cautiousness and concern. Personally I can wait as many days as complete safety requires.

    “In a world full of zombies and parasites who maintain themselves from others unfortunately we have to spend a massive amount of time to build and maintain powerful walls.”

  • Aditya

    Take your time, these things are ok.
    Just if you could give some envato goodies instead of 19$ refund and two months free, I will be renew my paid subscription on my own.

    • Riderman

      Actually that would be a good idea too!
      Perhaps envato can offer us coupons, certificates, or some kind of bundle as an ALTERNATIVE FOR A REFUND.

  • Matthew Killington

    Thanks for the update, I just hope it will be the same (with people being upset and leaving)

  • Great know that the fixes have been completed. Please take your time to make the web safer for all.

    Good luck!

  • thecodingdude

    So you knew about this issue for a long time and can fix it within 48 hours. This is pure arrogance on Envato’s part to think they are “immune” and “we can never be touched”.

    Shame on you.

    • thecodingdude

      Also, please can you explain how you can upgrade the site using hashed passwords and a new system (which is “secure”) within 48 hours yet you couldn’t have done this last week? I’m very keen to hear your answer.

    • Justin

      Putting quotes around words and phrases that Envato obviously never said is a bit contrived don’t you think?

      It was certainly a major oversight, but they have since owned up to it several times within the last few days. I don’t think they believe themselves to be “immune” or untouchable.

      For all that Envato has created and provided to its readers, customers, developers, designers and authors, I think we can forgive them for this oneβ€”albeit majorβ€”blunder.

    • thecodingdude

      No. You can never forget somebody that stores password’s in PLAIN TEXT. That’s like giving somebody your house or car key’s and them losing them all – would you forgive them that your property is now at risk?

      Sure, you can fix it, but how can you forgive the person for being so careless?

      Considering they made a blog post about security from other sites that got hacked and how you should change your password, you wouldn’t have thought a few weeks later they would’ve got hacked.

      I knew tuts+ was on the target list as soon as I read that blog post, and boom, look where we are πŸ™‚

    • Brandon Jones

      I’ve gotta back Justin on this one… the internet finger wagging and air quotes seems a bit over the top when Collis has been incredibly transparent about the entire issue. I understand where the anger is coming from, but no one’s passing the buck here. Mistakes were made; Responsibility has been taken; Hindsight is 20/20. The condemnation and holier-than-thou attitude that lots of people are taking here feels a lot like armchair quarterbacks calling the plays after they happen.

      I also seem to think you misunderstand the line between published tutorial content from third party authors and company practices. This is understandable… lots of times its easy to assume that because Envato is all under one brand that every employee reads every tutorial on every site and takes appropriate action. That’s not the case here… so the “how did this happen to them (of all companies – insert condescending remarks)?” is actually pretty easy to answer: We’re all only as secure as the weakest link in the systems that we put our information on. In this case Envato and Tuts+ started on an old, unsecure system before it was ever really an issue. They failed to upgrade quickly enough because the idea of scaling the old system was staggering and they took too long building something custom. In real world analogies: they had a hole in their roof, but rather than waste valuable money with an expensive short-term patch, they opted to build a whole new roof for their users.

      I’ll be clear – I’m not defending Envato or dismissing the issue. This is a huge deal and subscribers deserve to be pissed. But this was not a mistake of willful negligence… the mistake was in prioritization, which is a real conflict when there is a finite amount of resources and lots of projects to work on. It’s also a really easy thing to criticize after the fact. Too easy in my opinion. Collis has admitted to this situation being a total screw up in terms of prioritization, but there’s no real villain here besides the hackers. Collis is also doing a great job at taking the blame and acting as the lightning rod in this situation… something that you just don’t see in the vast majority of companies out there.

      So be angry – it’s right in this case, but I think there’s a bit more complexity to the issue than a simple “shame on you” warrants.

    • thecodingdude

      Brandon Jones: If you have been following the community and there was one thread which was started you would know Envato’s excuse for anything is that it “is in the pipeline”.

      They have known about this issue since June/July last year (according to a post on the other blog post, with a URL: http://www.reddit.com/r/PHP/comments/vmo5z/envatos_tuts_website_hacked_emails_plainttext/c55uijz)

      So yeah, I guess this hack was “in the pipeline” for Envato. They asked for it and they got it. Only got themselves to blame.

    • Brandon Jones

      “They only have themselves to blame” – that’s good, because they’re not blaming anyone else πŸ˜‰

      No one here is arguing to defend them or pass the blame off to anyone else. No one is trying to gloss over this as if its not a huge deal. Once again – anger, frustration, outrage – they’re all relevant reactions in this case. They’ll learn from this mistake and become a better company for it – they’ll also lose customers that trusted them because it was a huge screw up for such a high profile company – that’s all totally understandable as well. We’re not in disagreement on substance here, just tone =) Envato brings a lot of awesome things to the community and they’ve admitted to everything in this case. Tempering outrage with a bit of human empathy here isn’t crazy.

    • thecodingdude

      I appreciate that. Thing is, when they are putting posts like http://marketblog.envato.com/general/account-security/ up, you’d think their own security would compensate for the hackings that are in fashion.

      Also, Envato has only a handful of developers and that’s the problem; they all suck (what do they do anyway?).

    • Ryan Tablada

      Collis has been extremely transparent and admitted that he had the overhaul in his own list of things to do. He has admitted that he made a mistake by not making this a priority.

      As a small business owner and project manager, I totally understand where he is coming from: Tuts+ is his baby and he felt that he was able to oversee it. I know from experience that handing off responsibility can be the hardest thing to do in a situation (especially when you know that you have the necessary skills to complete the task).

      When you state that Envato has “Only got themselves to blame,” you are just restating what Collis said in his past two posts. He has taken full blame which is something I find remarkable in today’s culture where businesses usually just throw around money and deny fault.

      When you are asking how the site can be upgraded in 48 hours but couldn’t have been done last week, consider the man hours that have been put in. From my understanding, Envato has quite a collection of web developers. In a breach situation, most if not all of these would be working around the clock to remedy the solution rather than a much smaller crew working without a deadline.

      Also, for those saying something to the effect of “didn’t Envato read their post on Hashing?” As the security specialists that you are claiming to be, don’t you have unique secure passwords that you switch out on a bi-monthly basis as is recommended by best practices?

    • Cesar

      @thecodingdude You never have a positive thing to say, dude? From your own words: SHAME ON YOU!

      You’re always trashing Envato in the forums and everywhere.

      Take a chill pill and relax man. If you don’t like it then go somewhere else. Geez!

    • Mike

      Brandon Jones, that was really well said. Side note, if people dumb enough to use the same password on tutsplus that they do on paypal or their bank, this event was also “in the pipeline” for them.

    • lol this is great.

    • @dtbaker – it’s great eh? I’m loving some of these comments. πŸ˜€

  • RP

    How can I find out what password I used? I’ve asked it multiple times with no answer.

  • Terbiy

    The funny thing is that the day before the problems appeared I’ve read the thread on the forum where one user noticed that he likes the fact that tutsplus has never crashed and he wants some courses about the web security.

  • Mayank Sharma

    Even if everyone leaves the website. I will stay as an envato loyalist because only this website really teaches from the basics to the advance. Take your time pals, I am with you.

  • Jonathan

    Ok the only tremendous error a company makes is failing to handle their mistakes rapidly… You guys are on the ball and I really appreciate to be warn immediately (+ updated on the issue).

    Always loved what you guys did and wish to have everything back and better very soon!

  • Thomas Bates

    For the hundredth time, the Tuts+ Staff is NOT RESPONSIBLE FOR THIS. I’m very tired of hearing that “point” (‘they just released a security tutorial, and this is what we get?’).

    The Tuts+ writers, editors, managers, they have absolutely zip, zero, nothing to do with the development of the Tuts+ app itself, especially not when it comes to CMS development. It is not their fault, stop pointing out a nonexistent issue.

    It is the fault of Envato, or more specifically its developers. They’ve said repeatedly how sorry they are about it, Collis has basically gotten down on his knees and begged forgiveness. It was a known problem, and they were working on a fix. The fact that they managed to get it deployed in 48 hours should tell you just how close they were to being able to update it on their own time.

    I’m sure that for the last 48 hours, the Envato team responsible for Tuts+’ website has had almost no sleep. The fact that they were able to catch this, notify the users, and deploy a fix so fast is quite remarkable.

    I’m tired of the Envato Hate Train. I for one still am quite happy and enthusiastic about Tuts+, its content, and Envato and its endeavors. Maybe that’s because I know that no matter how encrypted, or salted, or hidden away passwords are, or are not, they’re never safe. I use a generated 18 character password unique to every site I visit. Password security is a two-way rode.

    Envato, Collis, thanks for taking responsibility on this and actually owning the problem. Thanks for being honest and direct. And thanks for fixing the issue so fast.

    • Jeffrey Way

      Just a clarification that Envato’s developers are ridiculously smart. Collis noted that it’s not their fault.

    • Thomas Bates



      Also, this was a reply to ‘thecodingdude.’

    • Brandon Jones


    • Brandon Jones

      My mom always used to tell me that the character of a man has more to do with how he reacts to his mistakes… not that he made them in the first place. I think this applies in this case.

    • Brenda Malone


  • Sean

    So it’s been 48 hours, any word on when they will dust off the old shoes and get back in the saddle?

    • Blake

      This post was posted today (28th June) and if you read the post properly, they said they are going to give it another day of extensive testing etc..

  • Tom

    This would be a great time to plan a course or series of courses on security.

    How can we protect (encrypt) records, passwords, etc…

    Share your experiences.

  • Sean

    Sweet, I was in the middle of a tutorial when the site crashed. I’m just real itchy to get back in there.

  • Gochoo Gomboo

    I want to learn asap.

    • Ryan Tablada

      There’s still ton’s of content to be found on the free tutsplus sites and those are still up and running.

  • Thank you for the update. I would love to login and hit some video tutorials but at the same time would prefer for you to do it right so there is no repeat of this problem later.

    Hopefully the site will be up again soon. Until then i am thankful for downloading the videos i did so i can keep reviewing and hopefully be able to pick up pace again when the site is live.

  • Eq

    Ouch! i need a few contents in tuts+ for my project! I guess i should wait then.. :(. Thanks for the fast update.

  • Vincent Orona

    despite the bitching and complaining about things we (subscribers) have nothing to do with i wont perpetuate it… i just want to know if Envato is going to give us some market credit? free months or ? i admit not reading ALL the posts about this. i love the site and sites associated with it… im staying… doesn anyone know whats up?

    • Amanda Hackwith

      Current members are getting their last month refunded and all Tuts+ Premium accounts (whether subscribed or not) are getting two months free access. Details here: http://marketblog.envato.com/news/tuts-premium-security-update/ about half way down. Hope that helps. πŸ™‚

    • Brandon Jones

      They are issuing a refund to all Tuts+ subscribers this month and then granting an extra 2 free months on top of that. πŸ˜‰

  • Emily

    was counting on using my rare down time tonight to go through the Identity Design course…

    any tips as to where I can find similar info for free in the meantime? all of the “public sections” even send me to the error page.


  • RafiQ

    I dont really know how PayPal operates, and if this even has any links to this case. But I got an e-mail from “PayPal” today, and it seemed very suspicious to me. As I have never gotten this e-mail before, it looks to me like it has something to do with this case. I didnt follow the link, and instead went right to paypal.com instead. Could log in without problem.


    What do you guys think?

  • Thanks for the update, Collis.

    It’s unfortunate that this happend, but you guys have my full support. I appreciate your hustle and your commitment to make it right.

  • Brian

    When can I sign up for a new Tuts+ Premium account? Will it have to wait until Monday? The timing on this sucks for me, but I can wait if I need to.

  • Brandon Jones


    • Rashidul Islam

      Stop loling man. privacy is more valuable than money.

      I like the way Collis said. I appreciate Collis. Good luck for a better future Man.

    • Brandon Jones

      Actually – the “LOL” comment was in reply to a (now deleted) robot-spam comment that made it past the filter for a “Dubai Escorts Service”… they had apparently found the blog post “very interesting” and wished to trade links or something. When the original comment was deleted, mine was left out of context, making me look like an ass (which I’m entirely okay with) πŸ˜‰

    • Jay

      comment not show..?? why…?

    • Adrian Try

      Hi Jay. Because you’ve never commented before, we needed to approve what you wrote before it’s displayed. πŸ™‚

  • Brian

    Honestly, I do not get “I support you guys no matter what” comments.
    This (online security) is very serious issue and I think ignoring it is not only to show your ignorance but utmost disrespect of your customers too.
    If you do not know how to conduct the online business, do not start it – it’s simple like that. Respect your cushoicetomers, and your business will grow. Not like it will grow with dipstick who does not care about anything and sticks around no matter what, but rather with more intelligent people joining in.
    Personally, I was about to pay for my daughters yearly subscription so she can delve into you knowledge base while in college, but this one is a surefire deal breaker. There is another choice out there, more expensive but I know I can trust them – I know it first hand for I was involved in certain security related activities and saw their honest and sound approach to this aspect of online business.
    I hope you will eventually get you stuff together and gain people’s trust back, but if not – it will be you very own undoing.
    Good luck!

    • Brenda Malone

      Being involved and having a knowledge of security issues, surely you understand that the end user must also take some responsibility to remain secure. Secure password / login management is crucial in this day and age. Don’t use the same password for any two sites. Get a reputable password manager or use the Stanford personal hash and salt application.

      If they are as honest as Envato has been, you will see that most companies have been hacking victims. Even the CIA. Even Linkedin, whose passwords I believe were hashed but not salted. It happens to the best of them, and to the worst of them.

      I absolutely trust Envato to provide a online village of learning and phenomenal marketplace to make me a more successful professional. There is even a teaching moment in all of this, which will undoubtedly make Envato stronger and better than ever before.

      Hopefully, Collis and the entire development team can get some sleep after all of this is over. And then get back to work to continue to provide us with even more screencasts and tutorial and themes and books and vectors and sounds and games and more.

  • Rashidul Islam

    Good luck Collins

  • Rashidul Islam

    Stop loling man. privacy is better than money.

    I like the way Collis said. I appreciate Collis. Good luck for a better future Man. πŸ™‚

  • Aditya

    Tuts+ Premium is back

  • tweakui

    Humm tuts+Premium is back but were is my 2 month free access?

    • Brian

      As I stated earlier – Good Luck!.
      As for Brenda Malone – you are absolutely right! All who has business online are exposed to this threat, The difference is how you prepare for it and how you protect the building blocks of your business – your clientelle.
      In this case, the company simply did NOT give a damn!
      That’s the KEY!
      I want to bet that some action will be taken, but how effective it will be to prevent this from happening in the future – that is a big question! I predict many cut corners.
      You can call me pessimistic, but I rather attribute muy type to the camp of realists.

  • Jay

    its need….

  • Jay

    comment not display…??

  • Jay

    ok thanks adrian try…