Update on Tuts+ Premium Security Breach

 179   Tweet
!

This post hasn't been updated in over 2 years.

Update: Tuts+ Premium Back Online and Patched

Yesterday I posted here on Notes about a security breach and compromise of account details on the Tuts+ Premium service. If you have a Tuts+ Premium account, and have not done so yet, I strongly recommend reading that post and following the recommended actions to safeguard yourself.

I am posting now with more information about what happened, what we are working on, and what we are offering to affected users.

What We Are Working On

We are currently urgently patching the Tuts+ Premium system, and passwords will no longer be stored in clear text. I anticipate the service will be coming back online in the next 24 hours, with all passwords reset, hashed and individually salted (a best practice). It is still a work in progress so the timeline may change.

Additionally we have been working to identify the source of the breach and method of attack. We have now put in place and are adding further countermeasures for this exploit.

What Happened

Our Tuts+ Premium service has been running for a long time on a product called aMember v3 which I purchased and installed in the early days of Tuts+. This product operates by storing passwords in cleartext as a way to integrate with WordPress and other services. This is not a good practice, and it was clear that we needed to move away from this setup.

In retrospect an immediate patch would have been the right approach, but through bad prioritisation and poor estimation of the work involved, I pushed forward a plan to build an alternative from scratch and get off aMember completely. I should also note that aMember had in the meantime released an upgrade to their service which deals with the issue, though an upgrade with our heavily modified system was a significant endeavour. As can happen with rebuilds, the project took longer than anticipated and consequently we continued on with a poor setup and high risk situation.

I’d like to take a moment to be clear that this wasn’t a failure of, or a reflection of, the professionalism and integrity of our development or Tuts+ teams. It is my responsibility as CEO of Envato to prioritise and make calls on issues like this, and I did not give it the urgency it needed. When our systems came under attack, the consequences became much larger and worse than they should have been.

From here on, along with addressing this situation, we are going to be taking a long and hard look across the company at all areas of security, even the ones we feel very confident about.

One month refunds for all current Tuts+ Premium paying members

In consideration of the downtime of the service, in the next 48 hours, we will be issuing a one-month refund to every current paying Tuts+ Premium account holder. This will be $19 USD for Monthly and Yearly members and $9 USD for Basic members.

We’ll be pushing out the payment of refunds as soon as possible on an automated basis, so there is no need to do anything in order to receive the refund. If you are a current paying member, you should receive a refund in the next 48 hours, either through PayPal or Moneybookers/Skrill depending on your current payment method.

Once the payment has been processed, we will post an update back here on this Notes post confirming it, along with information about what to do if something has gone wrong with your payment.

Two months of free access for ALL affected users

Regardless of whether a person was a current or expired member or just someone who signed up but never paid or used the service, we will be offering two free months of access to the Tuts+ Premium service. Despite this situation, I stand by our product as a fantastic resource and hope that this goes some small way to saying sorry to all the affected users.

Once the service is back online, I’ll post up more details about the two months free access. For now all efforts in this area are going towards bringing the patched up service back online.

How wide was the breach?

We would like to re-iterate that only Tuts+ Premium has been compromised. The security breach does not affect any other Envato sites, such as the Envato Marketplaces. And to be clear: other Envato services follow best practices with regards to the security and safety of data.

We have never stored financial data on Tuts+ Premium. We DID store each user’s username, First Name, Last Name, password, email addresses and payment email address, where provided. If you haven’t already, please urgently:

(1) Update passwords on ANY service you use that uses the same password as the ones you had on Tuts+ Premium.

(2) In particular you should consider your own email account, PayPal, Moneybookers, and other payment services. These are the most sensitive targets, and if you had the same password, you should consider this an urgent priority. If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use.

(3) If you use the same password on any other Envato service such as the Envato Marketplaces, you should change your password there too.

Expected Timeline

As outlined above I expect that within 24 hours we should have Tuts+ Premium back online with the cleartext password issue addressed, and information on how to access your account again. Within 48 hours we should have the refunds processed. And around that same time I should have a follow-up post about the two months of free access.

We’re extremely sorry

We are deeply disappointed this happened, empathize with all affected users and completely understand the level of outrage, frustration and disappointment that has been expressed. We are doing everything we can to make things right, and hope that over time we can rebuild your faith and trust in Tuts+ Premium and Envato by adhering to and championing security best practices into the future.

As CEO of Envato, I am personally extremely sorry and apologise to all our users and members, and to the staff, writers, instructors and developers who work on these sites. We will do better in the future.

If you have any questions, concerns or account-related requests, please don’t hesitate to contact Envato Support for one-to-one assistance: http://support.envato.com.

  • Pingback: Tuts+ Premium Account Security Compromised | Envato Notes

  • http://codecanyon.net/user/dtbaker dtbaker

    Excellent progress! Good luck finding the culprits and modifying the 3rd party script to work with hashing! :)

    • http://codecanyon.net/user/dtbaker dtbaker

      seriously. first comment again. I need to get off facebook.

    • http://flyerheroes.com Quickandeasy

      Your time could be far better spent you know…

      Like building Arduino balance displays :P

    • toni

      What is this crap…Why would the security breach happen exactly at the “unencrypted password section” ?

      It is a clear inability…thats what happens when designers want to code

  • http://www.creativejuus.com Jason

    Thanks for being upfront about this situation.

    Good to see a quick response and hopefully this will all be resolved sooner rather than later.

    • Cristian

      +1 to this comment Agree totally!

  • Michael

    Collis – please take a minute and read this article 2 or 3 times over before you ever think about taking anyone else’s money again:

    http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

    What is amazing is you’ve know about this issue for so long and did nothing, yet now when the sh*t hits the fan you can fix it in 48 hours. Shameful.

    • inlifethrill

      Dude, man said it all. We get it you are upset. Have a frozen yogurt. You need to chill with that crap already. Previous notes thread was all about that. Sleep it off. It’s a new day, be positive about it. Jeesh..

    • Gochoo Gomboo

      He read this article yesterday, that’s why I’m happy now and continuing to enjoy Envato+Premium again!!

    • Ak

      Well I Agree With Michael to a certain extent. not with the way he is expressing it but what he is saying ..

      Collis – Clear text is not a bad practice Its a Really really bad practice .. Because It effects more than just my tuts plus account Now I have to change all my passwords because you guys either choose to ignore the risks or got lazy ..

      OR where ever the rationalization you give for your actions you didnt take .. Its really wrong

      I appreciate the updates the free 2 months but for your sake i hope no customer gets robbed in any way or form because of this carelessness ..

      I really have no words to explain what i feel about storing passwords in plain text..

      But all that said and done.. I hope you will now be more carefull with people’s privacy and your security.

      Hope you guys recover soon..

    • Kel

      I’m not seeing value in the opinion of anyone who claims to have to change all of their passwords because of a breach on one site. It’s a “Really really bad practice” to use the same / similar passwords across sites regardless of how widespread the practice is…

    • Ak

      Regardless of what any one thinks about How i choose my password .. That fact is not if a password is used for 1 or 100 sites its that it was stored in plain text .. the complain is i have to change my pass at 10 places but now some one out there know my password maybe can figure out a pattern in it or just post it on the internet.. the possibility of misuse if countless.

      and for the once who cant see any “value” in my opinion I wish they get hacked once at least in there life .. and feel the pain that many of us and not including tuts plus has faced .. that ought to make em understand the importance of securing customer passwords and other details..

      I cant explain any more than I have..
      and I dont wish any one getting hacked .. as its a terrible feeling of helplessness .. and specially if it happens when you are not at fault ..

      I am happy the Site id going to be up soon ..

    • Kel

      I remember this time some guy “hacked” me once and used my password on my own WWIV BBS against me and logged into various other BBSs in the Ft. Lauderdale area telling the few females on the system bad things as if they came from me. I responded with this really cool ANSI picture of the handicapped symbol we often see on parking spaces meant for handicapped people. So been there done that…. but I have to know if you still hope I’ll get hacked *again*.

  • Alex

    I’m still seriously not happy about the events and the complete and utter disregard for our privacy, I’m happy that you are being so upfront an honest.

    At the same time, I wonder if this has totally damaged your standing in the community and the ability to be taken seriously.

    One also has to question the marketplace security now. I know you say it’s a different system, but who’s to say theres not a security issue you are unaware of.

    I’m going to stick around and watch what happens, but the jury is still out on whether I give a dime to envato again.

    • http://piercemoore.com Pierce

      I completely agree.

      I’m in IT (web), and I know just as well as anyone that security breaches happen. That’s obviously not the part that I’m worried about. And I’m not going to re-hash all the stuff from the last thread as it would be pointless.

      But considering that Envato+ Premium used this plugin for so long and, in Collis’ own words, required so much work to update that the easiest way to fix it was a floor-to-ceiling rebuild… and now it’s been fixed in 36 hours? Smells like fish to me. It is a very easy thing to simply say that you’ve fixed an issue to save face, but I think that the only way to win back some trust is to make every effort to prove convincingly that these passwords are indeed hashed.

      PhpMyAdmin screenshot? MySQL command-line screenshot? I don’t know, I don’t particularly care. There’s no way I’m going to renew when these types of issues remain. Sorry.

      Good luck, Collis. I have always loved Tuts+ and owe 50% of my knowledge to Net+. You guys do great work. I just really want you to win my trust back. Please?

    • toni

      dont blame them..they know absolutely nothing about coding, all they know is to do those pretty math-notebook like squares as a background…nothing more

  • Ron

    Paypal just processed my Tuts+ Premium automatic monthly payment TODAY!

    Now that’s what I call impeccable timing. NOT!

    • http://vtimbuc.net Valeriu

      That’s not Envato problem. You should have removed the subscription from you’re paypal account.

    • Jose

      Did you read the article? Please read again.

  • Michael

    Storing passwords in plain-text!? Are you serious?

    • http://google.com Adam

      wow I’m just bout as shocked as you, a huge website like this… storing passwords as cleartext, WTF? -_-

    • Alain

      Agreed.

      Plantext passwords? This is so stupid I think it gave me cancer.

    • Me

      You said this already. Are you serious?

    • jay

      If only there was a website that teaches us how to handle the proper storage of passwords….oh wait….

    • Michael

      I see many comments have been deleted.

      Clean up on isle 3 huh.

  • http://www.thaerigen.net Kiki

    Thank you, Collis. I very much like how you handle this issue communications- and otherwise. And I absolutely second your words about your team. You have great people working for you and tutoring us, which is why we are all here and usually very happy customers.

    As I mentioned in the other thread – best practises usually aren’t, becuase they are so darn complicated to follow, and man is a lazy creature of habit. Most users wouldn’t be half as angry if they didn’t know that only their own laziness could be blamed for the hours they (hopefully by now) have spent changing their password on dozens or even hundreds of sites – while a site owner’s rule number one is „use encryption and salted hashtags“, user rule number one is: „don’t use the same password for every site or service“.

    I guess we all have learned a lot from tutsplus over the years. Yesterday’s lesson was probably the most expensive and still the most valuable one.

    • http://lemondedereggie.fr Reggie368

      @Kiki

      You’re totally right and thought it’s a great mistake to have a third party plugin that store password in clear text, it is even a greater mistake form the users to use the same password on every other sites. they have their part of responsibility too… and being rude to Envato and its team won’t discharge them from this responsiblity.

      Contrary to some big companies that says nothing to their customer, Envato is doing it right by telling the truth to all its customers.

      Shit happens, even to the the most careful and skilled one ! As they were the only one to know that flaw in their system, there must have been a leak somewhere… They have to find it and do the right thing ! Whatever (or whoever) it is…

      Then everything should come back in order soon hopefully.

  • Morgan

    Thanks for the update!

  • http://softwarebuzzer.com sureshpeters

    Every big website are hacked these days. So i request the team to make very more secured and never use third party plugins and create your own membership plugins or something since you guys got great coders !

    Hope you will overcome this incident soon !

  • http://www.maren.com.ar Martin

    hope you have a good day

  • Jonathan

    I appreciate the transparency. Although, this just after the whole Linkedin password issue is becoming too much. I spend hours updating passwords on various sites because of security breaches. So, Envato isn’t isolated here… it happens to a lot of companies. I learned MY lesson and will use a unique password on EVERY site.

    • Jackie

      That’s what we all should be doing! Lesson learned here as well.

    • Rashidul Islam

      U should integrate a device/chip on ur brain to remember the passwords ;)

  • Sally

    I can’t recall my password, but when I go to change my password, it says it doesn’t recognize my email address, but that is where I am getting the updates!

    of course I can’t find a support contact for them for my life either. I understand they are working hard, but I need to change my password. Please, someone help

    Sal

    • http://wp.envato.com/ Japh

      Hi Sally, all Tuts+ Premium passwords will be automatically reset, as it says in the original post. You should change your passwords on other websites if there’s a chance they’re the same. Especially email or financial sites.

    • Steve

      yeah, like i’m gonna change my password on that many sites. i’m pissed envato.

  • John 8:7

    Thanks for the update Collis. Hopefully once your black eye heals, you can return to providing us with great content in a best practice environment :)

    I wonder how many of the people throwing stones at you are just as guilty, but have not been caught yet.

  • Jackie

    I’m personally more likely than ever to use Tuts+ now as the apology and explanation was so clear and detailed. It takes a lot to stand up and admit you got it wrong – especially in so much detail.

    OK, it shouldn’t have happened, but I’m sure none of us are perfect either! Lets learn from this and move on.

    • Dan Lourenco

      Well said, Jackie. The likelihood that this happens again is hopefully very low now that they’ve been humbled by this breach. Can’t wait to get back to the excellent tutorials from Jeff Way and the like–great stuff here.

    • quickliketurtle

      I second that. An apology and taking blame shows a lot of character as a company, and a person.

      I will absolutely continue to use Tuts+ and recommend it to anyone who will listen.

    • Mike

      This isn’t an issue of ‘not being perfect’. Envato didn’t just mess up, they broke pretty much the cardinal rule of keeping passwords (a rule that is even explained on various tutorials on web development on this very site).

      Plaintext passwords are an *enormous* no-no. LinkedIn got egg on its face for storing passwords simply hashed, which is insufficient and yet leagues better than what Envato was doing.

      I am so very sick of companies that purport to be leaders of technology fail basic tests of security and it is us, the users, who lose out.

      The fact that you are ‘more likely than ever’ to use them is evidence that you don’t really understand what they did wrong.

      What they did was the equivalent of writing your PIN on your ATM card. It’s fine as long as it’s in your wallet, but the moment you lose it (or the moment db info gets stolen in the case of Envato) you’re S.O.L.

    • Travis

      @Mike,
      Then how about turning it around and saying any idiot who uses the same password on multiple sites don’t understand what can happen to them if one of the sites they use is compromised? Man, sounds like a legit argument to me. Since you sound like you understand security so well then you must know that a site is NEVER 100% secure…so then why use the same password across multiple sites? I admit I used same password for another site but hardly even worth mentioning. Fact is I changed all my passwords regardless but this hardly affected me at all.

      If people didn’t do such things then simply “password stealing” wouldn’t be much of an issue now would it? I would be singing a different tune if it was my credit card info or someone stole my identity as a result but it is not – simply my password (assuming Envato was 100% straightforward) stolen for a learning site means absolutely nothing to me.

      Don’t be so quick to judge everyone.

  • http://laranz.in Lawrence77

    Wow, Two months free access. I am loving it.. :)

  • hussam

    That’s how should all sites trait their users . .

    Good job . .

  • no one really

    how do you expect anyone to take you (envato) seriously after all this?

  • http://iamdesignerservices.com Rebelle

    I am still pretty new to all of this so I have really been just watching the situation. I must admit I was dismayed over the fact my personal information could have been compromised but I lived through Sony, I was pretty sure I could live through this. Given the way you are handling it, the refund and the two free months ( actually 3 if you think of the refund as an extra month) I am more than happy to keep my membership. I learn a lot from here and really don’t want to give it up just like that. I am very sorry all this happened to you and hope better security measures will be in place soon. Good luck !!

  • tpaulding

    I’m missing where to go and make changes. All the links I follow are leading me to “site down.”

    • http://envato.com Cyan

      Hi tpaulding,
      You don’t need to do anything on Tuts+, but if you used the same password on any other site you need to go change those passwords immediately (particularly any payment gateways, email addresses, other important sites).

      If you used a unique password on Tuts then there’s no issue.

      I hope that helps, and apologies again for the inconvenience.

  • Joost
    • Cyan

      cleartext, no one fixed because they were making lots of money.

      But now the irony is all these premium tuts will be all over the web.

      lesson learned?

  • http://www.premium-templates.eu Jiri

    Free access for two months is pretty fair excuse. Thank you !

  • Gochoo Gomboo

    Collis,

    Thank you so much for your quick action learnt from your mistake and offering a great treat to the customer. I really appreciate your honesty about every problem you had and not afraid of public outrages and telling the truth.

    I will be continuing my subscription as long as you guys keep your honesty.

    Appreciate you,

  • Gochoo Gomboo

    Oh , you guys need to make a tutorial about how to know your website is hacked (in the case where your website is still working normal after the attack), how to retrieve from the patch and what actions need to be taken, stuff like that.

    That would be useful tutorial.

    • Dan Lourenco

      Good idea! A learning opportunity for all of us.

    • http://example.com DonDop

      Yeah, spin the news!

    • markphd

      Yes, please make a tutorial how to handle attacks. It will be very informative and helpful to the Tuts+ community.

  • Clint

    Everyone should be using seperate passwords for seperate sites, and if this was the case this problem would not have affected anyone.

    Go grab keypass and use superstrong unique passwords for each website.

    Good on envarto for using seperate payment gateway for storing the financial data (best practice)

    At least they kept your credit card details safe :-)

  • http://www.mlangella.com Manuela

    I really appreciate it, and I continue being your big fan!

  • http://themeforest.net/user/LucidStudios Sher Ali

    Good luck Collis and devs :)

  • Kristian Roebuck

    It’s safe to say I’m never buying anything from Envato again. Storing passwords in plain text is a huge no-no, a total disrespect to your users. I have lost any faith I had with you guys.

    According to the a comment on Hacker News, this person contacted Envato a year ago about your appalling password storage. (http://news.ycombinator.com/item?id=4163101)

    Your response was:

    “Thanks for reporting the issue of plain text passwords to us. It’s how passwords are handled with the membership software we use for Tuts+ Premium, which isn’t extremely well coded and something we want to rebuild from scratch. In the mean-time our dev team will be hacking the software to bring password security up to the best practices we advocate on our Tuts+ sites, like Nettuts+.”

    If within a year you couldn’t find to the time to address a serious security issue then I have little sympathy for the loss of custom Envato will experience because of Envato’s lack of care for user information.

    I don’t think anyone should be praising Envato for their transparency in this situation, it’s the minimum they could do. If I had of known TutsPlus were storing passwords as plain text, I and I’m sure many others would have never signed up with TutsPlus.

  • JJ

    “will no longer be stored in clear text”, omfg! My trust in u guys really took a beating here. Are you seriously storing my password in clear text. It’s 2012 god damnit?!

  • Kelvin

    Is this affect Themeforest, Codecanyon member?

    • http://twitter.com/jordan_mcnamara Jordan McNamara

      No, this only affects Tuts+ Premium. The Marketplaces have not been compromised, and personal data is protected with encrypted passwords.

    • Cyan

      well considering most people use the same passwords, it doesnt matter much that the other sites were hashed.

  • VF

    Nice move for such a bad situation. Hope nothing will affect the flow of tuts writers and learning users.

  • Aditya

    Tuts+ Rocks
    These Mischief Makers are like terrorists for me, nothing more than a criminal.
    Just a request find the source of the breach and file a complaint in the police (if there exists such provisions in Australia).

    P.S. The incident which happened was just like a single minor typo in a 1000 volume encyclopedia & this things are normal & happen. You confessed more than what was your mistake, said sorry; not once but twice! You are offering two months of free subscription to every member but what’s the need of refund???
    What I believe If we deprive our teacher of what they deserve, disrespect them we cannot gain knowledge. (I am serious).
    When we receive a faulty book from an online store they mostly replace it (or sometimes pick it up and make a refund)
    But you are making a refund as well a replacement too!
    Yet another proof of Envato’s excellence & values.

  • http://razerdesign.com Kevin Kirsche

    Thank you for being upfront and honest about all of this. I know that can be difficult. While at first I was worried, your honesty has helped to restore some of my faith and I look forward to seeing Tuts+ stay at the top of their game. While I’m surprised a cleartext password solution was used, I appreciate the difficulty in change. Thank you for being honest and I look forward to working with Envato in the future!

  • http://dean.io Dean

    I think the main question is why were you using aMember and its plugins if you knew that passwords were stored as pain text? Surely this is a no-brainer seeing as you are a network of sites which writes tutorials, with many on how *not* to store passwords as plain text…

    Your respect for me has gone right down and I will never sign up to tutsplus now after this…

    Why don’t you build your own system on Ruby on Rails like you did with Themeforest? I would happily help!

  • Michael

    While this whole plain text episode and password changing is annoying… it’s not even close to being annoying as going through the comments on this post and yesterdays post (more yesterdays post), reading the same s**t people asking questions that have been answered in the original post.

    jesus chris

  • Wojtek

    *cough* I hope you won’t put the salt in the same table as the password…

  • Al San Diego

    What will happen to those who recently signed up because of that $50 credit back promo? will that still happen?

    • http://twitter.com/jordan_mcnamara Jordan McNamara

      The promotion is still valid.

  • http://twitter.com/madebyivor Ivor

    Tuts+ rocks. Period!

  • http://www.integrityinvoice.com Adeniyi

    All I have to say is God bless you Collis & Team. Apologies accepted! And yes your honesty and transparency about the whole issue did nothing but strengthen my trust for your company.

  • lav

    It is confusing. Does that mean yearly members will get $19 USD and 2 months free or just money… I purchased the membership few days back. Isn’t that useless. :(

    • lav

      N I hope envato will keep up the quality of work…..

    • http://pixelb.in Alex Pascal

      Both, I believe. The refund is for current paying customers, 2 free months is for anyone that has ever had account with them.

    • lav

      That’s what I think… But whatever it is, they are true and accepting their fault….. I would like to see the website up and running….

    • http://www.junwatu.com Eq

      yeah! get back online soon tuts+!.

  • Sid

    While I appreciate the transparency and honest approach taken here, after reading the above it still boggles my mind that something that can be patched in 48 hours wasn’t done earlier while you pursued your own in-house alternative to aMember.

  • http://pixelb.in Alex Pascal

    Good job on the actions being taken to rectify this situation. Thanks Collis and crew.

    • Meshach

      I’m still can’t believe this mistake happened, but thank you Collis for handling it professionally.

  • Bill Hance

    Keep my money.

    I’d rather you take all that money you are going to refund (including free access) and put it towards some kind of comprehensive security consultation.

    Publish your findings and give the community something way more valuable than a few bucks.

  • Israel

    I’m still wondering what issues had a higher priority over maintaining security for the passwords of your paid members! I just don’t see what else can possibly be more important than that, I guess because you have no one hacking your system before you though mmm, we won’t worry about it for now, is not like we have had any issues so far, well cross that bridge when the time comes, so I guess we are at crossing that bridge now right?

  • http://www.twitter.com/anthonywoods Anthony Woods

    Within receiving an e-mail notification of the problem, I immediately changed my password and was not affected by the event ….. The professional attitude in keeping us up to date, staying true and faithful to your readers with what was going on has been outstanding and I seriously take my hats off to you. Yes, you will get a quite a few angry people who are still not happy with what happened, but as a company you need to drive forward, provide a solution, and try your best to make sure it doesn’t happen again and give your readers a sense of trust and belief again…. Giving refunds was a necessity, but also allowing 2 months tuts+ access for all affected shows integrity and commitment in rectifying the problem and showing your genuine apologies. I will be continuing my membership!

    • Travis

      Well stated and my thoughts exactly.

  • mystic

    Envato Staff and Management,
    I really appreciate the speed and openness that you’ve show the community since this breach occurred. It is refreshing to see a company own up to their responsibilities and address the issues quickly.

    By comparison, LinkedIn recently had a security breach (which I discovered through the media – no telling how long that delay was) and only later received a cryptic message saying that I may have been compromised. The only noticeable effort on their part since 6-8 was a reset password link. No other contact, or information. LinkedIn, while being a much more profound leak/risk, has had a significantly poorer response thus far.

    Many of the Authors should be very familiar with issues such as development delays and project management. In hindsight, certain decisions could have been better, but the response by Envato management has shown true character (and undoubtedly the entire staff has felt the effects and demands of this breach). They appear to be making all the right moves now and that counts for a lot.

    Risks are inherent in this day and age and it is regrettable that it happened. It has become somewhat a source of worry and effort on my part – but that said, Envato (and it’s many sites) still represent quality and integrity. I am sure they will be better for this experience.

  • joe

    does anyone know how to delete subscription from paypal? for some odd reason it wont delete tuts+ from my subscription…

    • http://twitter.com/jordan_mcnamara Jordan McNamara

      Hey Joe, if you contact Envato Support http://support.envato.com they can walk you through how to deactivate your subscription.

  • http://www.designbyniall.com Niall

    Well, Envato is made out to be the bad party here when the real ones are the ones who hacked the site in the first place.

  • ian

    Wow, I wouldn’t even ask for a refund or free access because people make mistakes but this is great! (from a subscriber point of view). I hate the circumstances for you guys but seeing as how my subscription was running out next month it will be great to have a refund and or free access before renewing.

    Thanks!

  • Shane Osbourne

    I’d like to say a big thank you to Collis.

    Why a thank-you?

    Because bad things happen on the interwebs and it’s refreshing to hear somebody come out and be honest about what happened.

    Good luck getting your systems up and running again

    Shane :)

  • kieron

    Thanks very much for the refund .

    I’ll use it to buy something on Theme Forest.

    Its a lesson for everyone involved.

    I’ve sorted my passwords out properly now which is probably

    something I wouldn’t have done had this not happened.

    I’m sure most of the “big girls blouses” will stop whinging now

    too although by the tone of some of them they enjoy it.

    Thanks for sorting it quickly, apology accepted, lets move on.

  • Plush Pixels

    Well i might not be learning anything from Premium at the moment, but i sure have just learnt how to make a customer happy again!

  • michael soriano

    My problem is – I don’t know what password i used . I submitted a trouble ticket so your staff can send me the password that was used for my account – but they haven’t replied to me. Please get back to me asap.

    • pyemachine

      Same with mate. They responded to my request but they cant give that info out they say. Alas i must go update the many websites i am a member of. Boo.

    • http://tutsplus.com Skellie

      Hi Michael,

      Staff are not able to access or provide you with your previous Tuts+ Premium password, as these are no longer being stored in any way, shape or form.

      It’s my strong recommendation that you change the password on any online accounts that *may* have shared a password with your Tuts+ Premium account. If you’re unsure, it would be best to reset your password on all of them.

      Sorry for the time this will take. I hope we can make it up to you!

      Skellie

      Tuts+ Premium Manager

  • http://kustomdesigner.com Mike

    Sometimes things just happen. I’m glad you were so upfront Collis, it just reconfirms how great a company Envato is to it’s users. People complain ,but this thing happens to a lot of people. A while back Css tricks almost had it’s entire domain stolen. I remember Chris Coyier doing a post about it…another guy who is a front end dev (Soh Tanaka) never even got his site back, some hackers stole it and moved the domain. I’m just glad things didn’t end up worse for Envato, they are pretty much the leader in our industry and I have learned more here than the rest of the web combined. Best of luck guys, can’t wait to get back to the PHP lessons when Tutsplus gets back up:)

  • robert

    Well, yea, plain-text passwords… I thought you were professionals…

    • robert

      I appreciate that you told us about the issue… Good luck in repairing the system!

  • http://www.hiphopvegan.com iseethings

    I’m glad to see the envato team is on top of the case. Thank you for keeping us informed!

  • Stuart

    For anyone interested, I spent all morning creating unique logins using Keypass and I would suggest everyone using something similar to manage your passwords. It is opensource (free) and seems really great. That way if one password gets hacked, even if it is in clear text, you can just make a random new one in the program and have a smile on your face. Still can’t believe this happened, but I think it’s a good wake up call to all of the end-users to protect yourself.

    • Stuart

      Sorry forgot to mention… when you use Keypass, back up the database and keyfile (if you use one although I would) in something like Dropbox so that you can have access to it across all of your devices. I now have it on 3 computers and my phone and it is working flawlessly.

    • http://www.junwatu.com Eq

      keypass combine with online storage do me a big favor to stores my passwords.

  • Josh

    I’ll admit I was pretty pissed off yesterday, and I directed that anger towards the wrong people.

    I’ve thought about the situation a lot, and I realized that you guys didn’t even have to tell us about the situation. But you did, knowing that it would enrage your users.

    Thanks for being honest. It’s refreshing to see that you want to make it right.

    I’ll give you guys a second chance.

  • Bill

    Took me awhile to change all my passwords. It was a real pain in the asshole. I appreciate you guys offering a refund and free two motnhs service for all the trouble though.

  • http://www.burconsult.com John

    It is a bummer to have your systems compromized, especially if it affects your entire operations on such a scale. I’m glad you guys were sincere through it all and are working to restore access to your great service for all us paying customers. The LinkedIn incident a few weeks ago and now this, well it’s only natural in an online world where the number of online services has grown to such a level.
    I have always used some kind of algorithm to make all passwords unique, using special character combinations etc., yet having worked as an admin for a few online services, it’s painful to see how lazy people are in choosing a decent secure password.
    Good luck with everyhting and speedy recovery!

  • Kel

    I’m rethinking the come-clean full-disclosure honesty approach after reading all of these wanker posts.

  • http://www.junwatu.com Eq

    Never thought about refund and 2 months of free access but thank you anyway and thanks for the fast update. Hope envato keep the quality work of the tuts+ contents.

  • Birox

    All you people, stop for a second, take a look and learn. This is how a real person and an honest company deals with a delicate problem like this. Learn, cause maybe one day you will have a big company, and God forbid you get yourself in the same position, atleast then you will know how to handle it. And if you think “Who me? why i’ll never get in that kind of situation.”, think again.. some of you dint even bother to make your own simple and secure password algoritms.. First protect yourself and then judge if an enviroment can or can’t protect you better. Cheers! Colins, Envato, keep up the good work, you guys own the market and can get over this quick. BTW will start selling some products on your markets, so easy on the overview cause i will KYA haha

  • Chris

    Look… its already happened… and its made me rethink the way I’m using my passwords across the internet. I’m wondering how many other sites on the internet are still doing the same thing. Thank God Envato responded the way it did and warned everybody of the incident (even though they were teaching everybody else the importance of hashing).

    Every one deserves a second chance and they will definitely put security before everything else going forward.

    Plus+ I can’t wait to get my hands on 3 months of free tuts!

  • http://www.tritonseo.com/ Ollie

    Good job owning up to situation.

    Even though the cleartext fiasco was inexcusable, the way you’ve personally taken responsibility and also given refunds/free months is very commendable. I’ll definitely be staying with tutsplus and can’t wait until the service comes back up!

  • http://simianllc.com MasterKong

    Mistakes were made. Not only by Envato, but by those of us who use the same password on all other sites. This is the Internet – man made it and man will always be able to break it. Dry your tears, change your passwords and enjoy the top quality information you get for such a reasonable price instead of paying thousands of dollars in a traditional learning environment. Chin up!

    MK

  • Ktee8

    I don’t like this happened, but I like the way you’re handling the issue and do appreciate the refund and upcoming free access.

    I’m a big fan of your courses, just having joined a half month ago. I hope you’re coming back safe and sound soon!!

  • http://example.com DonDop

    If you’re gonna store your passwords plaintext, you’re gonna have a bad time.

  • Steve

    Personally Collis, I just want to say thank you for the way you handled this. A month’s refund and two months free service is above and beyond what many other companies would give to their customers in similar circumstances.

    I hope this mess gets sorted out quickly and you are able to get Tuts+ up and running again.

  • Blake

    It’s really nice of Envato to offer all current paying members a refund, and 2 months free to anyone who has an account.

    My trust hasn’t gone from Envato, it happens to the best of them, atleast Collis had the decency to air this to the public, unlike a few massive sites when it has happened to them.

    The Tuts+ Network has taught me most of my knowledge, i’m not going to let this stop me from learning from the best.

    • adrian chen

      And all it costed was your email, username, & password. Great Deal!

    • Blake

      Well, unlike the vast majority of people, I don’t have the same passwords for everything, and certainly not for my email or payment accounts.

      Your email and payment accounts are precious, you should never share passwords with a forum account, wordpress account etc..

      I’m not saying it’s wrong too, but most of the people here are smart enough to know not to use the same passwords for everything, security breaches like this unfortunately happen too often, so stray away from using repetitive passwords.

  • http://n/a jstofle@gmail.com

    how are we supposed to know what password we used. I have so many im not sure which one I gave you, is there any way you can post a webapp that takes a hash of my password so if i type in my email and password you can tell me if that was the combo or not so i can guesstimate what kind of personal breech this was?

  • Erik

    Everything has pretty much been said, I’m just stunned, my God man, what were you thinking. This is like a car company releasing a car with dodgy breaks, knowing about the issue and choosing not to fix it, because it would cost too much.

    I can appreciate how you are handling the situation, but man, what a poor decision on your part.

    • Jez

      So true. Poor decision.

  • Tony

    Hi guys,

    When can I sign back into the premium service again?
    It’s been 72hrs now ?

  • Pingback: Tuts+ Premium Downtime Update | Envato Notes

  • Patrick Rebel

    “there’s a difference between knowing the path and walking the path …”

  • Jez

    This is all great, however I kind of relate this to the following analogy.

    A financial advisor (Envato) giving advice on how to manage your finances then you find out that they are actually bankrupt and their excuse as to why, is that they hadn’t made it a priority to sort their finances out.

    The fact that you are able to sort this out in 48 hours or so makes me wonder why you didn’t do that in the first place.

    I certainly wouldnt be a client of the financial advisor, and struggling to come up with a reason to be a continuing client of Envato.

  • http://www.unicodue.com fabio

    good luck to the team in this task.

    i agree with many comments, both inspirational, positive, and others slightly irate and concerned – however my 2 cents’ worth is that almost anything can be hacked into. if the pentagon get’s hacked as we sometimes see in the media (and mind you that is very few times that the media discloses but in fact it is probably a lot more), then this incident should be no surprise.

    could it have been better protected – perhaps. whether the incident started because of someone’s thrill, or out of jealousy, we should, as a community, try and all be supportive to the team that provide this service, and to each other. running something as big as the envato communities is not something simple, and takes a lot of work – for us others who are developers, business owners, etc, we should realise that even our practices aren’t as secure as they should be, and sometimes factors such as cost, time, prioritisation, or even simply put “i’ll get to it later” attitude does occur.

    agree or disagree – up to you, just felt like expressing as well. ciao

  • http://joelmturner.com Joel Turner

    Thank you so much for your updates. Envato has given so much to the web community for so many years.

    No matter what, we have all made decisions that we’re not proud of or decisions/actions that made a mess. The difference here is that Collis is willing to admit what happened and is rectifying the situation.

    Those that wonder how this patch can happen within 36 hours, it’s amazing what you can accomplish when things go crazy. I’m not surprised that the team was able to come up with a fix so quickly.

    Thanks again for being honest and I will definitely continue to use and promote your quality sites.

  • Jaxio

    We don’t plan to fail, we fail to plan.

  • Philipp Schaffrath

    I know a lot of companys which got hacked and they just kept silent. So that you are sending us mails is very nice.

    Not everybody has so much balls :)

  • Felix

    So it’s been over the 48 hours. I’d really like to start using the service again. I was having a great time learning… can I start doing this soon?

  • Pingback: Tuts+ Premium Downtime Update | Wordpress Themes

  • Andrew

    I admit I was angry a few days ago when this happened, but I think I’m going to stay with nettuts. I think I was overreacting to the whole situation.

    I have a humble request.

    Can you please add a Download All button to your video tuts. It’s a pain in the ass to download each and every video with the project file. I like watching tuts on my HDTV

  • Zoran

    Hi Collis

    Being a full time web developer long time, I know that s*its happens. No one is perfect.

    However, I am glad that you had the courage to admit that you make a mess.

    I know that most of the projects we do, simply fail, or have small success. My guess is that you was probably surprised from your success, or you was not prepared for success of this scale, whatever.

    Just wanted to drop you a line of support, and to let you know that I will stay with Envato no matter what.

    Thefts can not take my knowledge from me, and that is the most valuable thing that I have. Part of that knowledge was learned right here on this site. Just keep making valuable courses.

    Regards,Zoran

  • Shannon

    I still love you, Envato. <3

  • dante1

    Envato
    It would be nice you doing a 30 days course on web security now that you are covering PHP basics, by the way you said the site would be up today and still nothing please confirm when this is gonna happen.
    2 moths for free I think is fair.

  • http://GotohellAETuts This is Bullshit

    Not only is my information up for an identify biding war but now I cant even see the tutorials that i need to finish projects under tight dead lines! Thank you very mush tuts for ending my life }8(

  • http://launchmeweb.com Steve Barman

    I took a week off work for a stay-cation to study stuff on Nettuts. The fact that you’ve been down most of the week is severely bumming me out. Please reset the passwords or whatever ASAP. I need to study! thanks!

  • Tim S

    If I’ve understood your intentions correctly, I really don’t think you should give free access to premium content to members who weren’t already paying for premium content during the downtime.

    They hadn’t previously been willing to pay for the content, so to receive TWO MONTHS worth for free, is ridiculous and very unfair to all your paying members.

    As a paying member, I have been inconvenienced, and the idea of non-paying “members” receiving access to the content I’ve been paying for, is very irritating.

    Perhaps free access for a week, but certainly not two months, its way too much time to watch or download a serious amount of Envato’s premium content. It would be unfair to loyal, long standing members, who have propped up the site for non-paying members.

    If you were to give away for free, what I’ve paid for, over the past few months, I’d seriously have to reconsider remaining a paying member and recommending Tuts+.

    The fact that you’ve already announced that you’ll offer it, suggests you haven’t thought about long term consequences. Maybe your security wasn’t thought out long term either. Sorry.

    • Tim S

      I should probably also add that Tuts+ is quality content, so doesn’t really compete on price. By giving premium content away for free, then your competing on price. You’ll attract the wrong sorts of people, and repel the right sort of people. Give away extra tutorials we haven’t seen yet, dig old unknown gems out, make sure your tutors have replied to forum questions (I’m still waiting for a couple of responses from tutors), make extra premium content available ASAP to PAYING members only, to apologise. But don’t give your premium content away for free.

  • Pingback: WP Late Night #15: "Pixels don't matter" | WPCandy

  • Pingback: Tuts+ Premium Back Live and Patched | Envato Notes

  • http://camdesigns.net CAM

    My password does not work, and the Password reset did not email me.

    • Wartone

      Same issue on my end, So amm what’s up with that ?

    • Philipp Schaffrath

      If you are a programmer, you actually should have heard about the “forgot password” function that exists nearly on every website.

      This function lets you reset your password to a new one, so that you can login successfully again.

  • Nathan Pope

    I understand that people are upset but a lot of people are voicing this in such an immature manner. When an honest company like Envato makes a mistake it might seem easy to throw them under the bus. Kicking someone when they’re down is hardly ever the right answer. Some of you may sit back in your computer chair satisfied after your rant and feel like your anonymous bashing did you justice. I for one will continue to support this company who went above and beyond to rectify this unfortunate situation.

    How many companies do you know of that wouldn’t wait for your request to have money refunded and just offer it up automatically?

  • http://govertz.dk Govertz

    Are you sure the email reset function is working, now I have waited an hour, and still no email.

    • Philipp Schaffrath

      It worked instantly, make sure you enter the exact same mail you use on tuts+

  • Wartone

    And how do i gain access to such a function; not a programmer ? Still awaiting an email so i can make a new password.

    • Wartone

      Meant for Philipp*

    • Philipp Schaffrath

      Are you serious?

      Hm okay, go to http://tutsplus.com/ click on “SIGN IN”, now, after the little popup appears, click on “Forgot your password?”, enter your email, and follow the instructions given by the Mail or Website.

      Hope this helps…

  • http://govertz.dk Govertz

    Am I the only one waiting for the password reset email?

    And for the record, I have entered the exact same email I use on tuts+

  • James

    Thank you for keeping all of us informed on how the progress was going. It just really sucks that I had signed up for Premium the day before this happened, haha. Anyway, time to wait for my benefits. Thanks again, and good job.

  • http://govertz.dk Govertz

    3 hours later

    still waiting !!!!!!!!!

    wake up Envato

    • http://wp.envato.com/ Japh

      Hey Govertz, have you checked your spam folder? The email subject should say “Tuts+ Premium password reset”. If you still don’t have it, please submit a ticket to Envato Support ( http://support.envato.com/ ) and don’t forget to mention your Tuts+ Premium username.

    • http://govertz.dk Govertz

      Thanks @Japh I will do that.

  • http://www.krsiak.cz/ Krsiak Daniel

    so when is this
    “Two months of free access for ALL affected users”

    gonna happen?
    because as of now there is still only previews and option to upgrade = pay (no way guys) to get it

    lame excuse and no results? :)

  • http://todvenn.co.uk Tod

    On bad prioritisation.. which is more pointless:

    1) Resolving a security bug after it’s caused its users a problem.
    2) Unsubbing after your password is compromised and the problem is fixed.

    All I know is I’m not going to cut my nose off to spite my face, I’ve more to gain than I have lose from Tuts+. I know plenty of sites that secure their users password, and none that I’d rather be subbed to.

    Even If my bank details were compromised due to this, which they weren’t, they’d have to steal a fair bit of cash to go beyond the worth of all materials Tuts+ give away daily for free, and next-to-free.

    I’ll keep supporting Tuts+ [when they end giving refunds and free monthly subscriptions], because its the best, breach or no breach.

    I wonder how many awful corporations are supported by the users who are unsubbing from Tuts+, how many of the companies they support also openly steal and share their personal information. I can just imagine these users sitting back checking their, Facebook and Barclays Bank account while swigging Coca Cola, berating Tuts+, while Barclays illegally fund scatter bombs to drop on children, and Coca Cola continue slaughtering their own trade union leaders.

    Make sure your priorities and actions make sense – everyone!

  • Joseph

    Ive been waiting forever for my password reset. I checked inbox and spam for the last hour.

    • http://themeforest.net/user/JamiGibbs Jami

      Hi Joseph,

      Can you please let us know if you’re still having trouble logging in?

      http://support.envato.com/

  • Jyle

    I think they’ve handled this very professionally, and i wouldn’t mind betting that 100% of affected users will / have come out better because of this (refund + 2 months free).

    I’d just like to thank the envato team for acting on this very professionally and generously. Was an embarrassing scenario, but shit happens and that doesn’t stop their tuts and videos from being the best.

    Keep up the good work.

  • rick

    keep the money, go buy a giant cucumumber with it and stick it ** **** ***

    I’ll never be back!! You look like an idiot too :^D

  • Nathan

    What happens sucked! that’s obvious but give the CEO of Envato some credit. He is taking full responsibility, his credibility is now badly damaged because his actions were not the best. Running a business is REALLY difficult, and he gives away a lot for free. Although I am worried about signing up to Tuts Plus again, I am not going to write off this company so easily because of what they offer for a very cheap price.. $19/mth for downloads of heaps of ebooks, source files and videos. Please tell me 1 company that is so generous and I will consider signing up to them too. As a regular freelancer that has has subscribed to Envato’s services for about 6 months I think:

    give them a chance to win my trust back by not getting hacked again!

    please think similar to me…

  • http://www.krsiak.cz/ Krsiak Daniel

    ENVATO:
    “Two months of free access for ALL affected users

    Regardless of whether a person was a current or expired member or just someone who signed up but never paid or used the service, we will be offering two free months of access to the Tuts+ Premium service. Despite this situation, I stand by our product as a fantastic resource and hope that this goes some small way to saying sorry to all the affected users.
    Once the service is back online, I’ll post up more details about the two months free access. For now all efforts in this area are going towards bringing the patched up service back online.”

    AFFECTED USER:
    “How is it possible then that your site says ‘Update your membership to get access to the full course.’

    http://krsiakdaniel.minus.com/mbh5iy4PBJ/1fU

    And there is NO free access and NO way to play whole courses? “

    • Bill

      did you get an answer?

    • http://themeforest.net/user/JamiGibbs Jami

      Hello Krsiak,

      I’ve had a look at your account and you’re all set to access all premium content until September 3rd. Can you double check it for us? If you’re still having trouble accessing the content, please feel free to send us a support ticket:

      http://support.envato.com/

  • Travis

    It is what it is and it could have been much worse. Was I mad? Hell yes I was! I was partly mad because now I had to go all over the place to change my password regardless whether I used the same password as Envato or not however I was more mad at myself for having used the same password in more than one location. Between the credentials I use for home and those I use for work (IT) there is so much to remember so I got lazy. I respect the honesty and for Envato showing some simple respect in giving back to the community for their mistake – In short, I appreciate the steps they took in regard to this matter.

    • http://themeforest.net/user/JamiGibbs Jami

      Hi Travis!

      I think we all learned a good lesson about each of our personal password methods. I know I did! Thanks for your honesty and feedback.

  • felix

    Hmm did not received any refund until now….whats wrong?

    • http://themeforest.net/user/JamiGibbs Jami

      Hi Felix,

      If you are a current Tuts+ Premium paying member, the one month refund should have been issued by now. If you’re still having trouble with this, please feel free to send us a support ticket so we can take a closer look:

      http://support.envato.com/

  • Bill

    Why was my paypal automatically chared 19 to renew my monthly service? I thought we were getting two free months of service.

  • Bill

    Who do i contact? I canceled my supscription after you automatically taken out $19 today to renew it. Will i get that $19 back?

  • Bill

    you guys need to get your shit together.

  • Bill

    Answer your fucking e-mails. I want my money back.

    • http://themeforest.net/user/JamiGibbs Jami

      So sorry again for the hassle, Bill. Please email me your Support ticket number and I’ll be sure to get it taken care of: jami@envato.com

  • Pingback: Envato Community Podcast: Episode 18 Out Now! | Envato Notes

  • Pingback: Tuts+ Premium Refunds / Free Access & Security Updates | Envato Notes