Mitigation of DDoS attack
The DDoS attack launched against Tutanota Saturday night was mitigated after several hours. This was the longest downtime of Tutanota in recent years. After this, connectivity remained intermittent for some users with two more short downtimes Sunday and Monday night.
Due to the downtime, Tutanota was not available to its millions of users around the world. To ease any insecurities among our users, here is a summary of what happened:
On Saturday, 15th of August, a sophisticated, multi-layered DDoS attack was launched against Tutanota which led to a downtime of all Tutanota servers. During this attack no data was lost or breached.
We do not know who is behind the attack or why they attacked Tutanota. It looks like someone wants to prevent all of you from using secure and private email, but we won't let that happen! We are committed to fighting for your privacy on all ends.
We are sure that our mitigation strategy will work better in the future, and we are committed to get Tutanota back on track to again reach its usual uptime of around 99.9%:
- April 2020 99.933%
- May 2020 99.871%
- June 2020 99.907%
Here we also want to answer the most frequent questions put to us via social media and email:
Is my data secure?
Yes, all data in Tutanota is securely encrypted and can't be accessed by anyone - not even by us.
What happened to my emails during the DDoS?
Emails received during the DDoS attacks were queued and delivered later. No emails were lost.
Did someone hack Tutanota?
No, the DDoS attack resulted in such a high volume of traffic to our servers that these were unavailable for several hours for our users. However, the attackers never hacked the Tutanota servers or gained access to any data stored on our servers. No data was breached.
Do I need to change my password?
No, changing the password is not necessary. Tutanota stores hashes of passwords. It is impossible to derive the actual password from this hash. Thus, no one can know your password, not even we at Tutanota. To protect your password, we use bcrypt and SHA256.
Why was Tutanota listed on spam lists?
Tutanota was listed on spam lists on Sunday and Monday. This was caused due to an attack against Tutanota with forged IPs. We have contacted the spam list owners to remove Tutanota. We are also currently investigating how to prevent such an attack in the future.
Why is there no status page for Tutanota's availability?
We have long wanted to publish a status page. However, as a privacy-first email service, we cannot use Google services to host a status page (like most services do). Hosting a status page ourselves would be the easiest, but this does not make any sense as the status page would be affected by a DDoS attack as well.
That's why we are currently looking into privacy-friendly options for hosting a status page. If you have any recommendations, please let us know!
We have already planned to add offline availability to Tutanota. We are now considering to move the priority of this feature higher to meet user demands. We understand that you need to access your mailbox at any time, and we are working hard to meet this demand.
Big thanks to the community
Finally, we want to thank the entire Tutanota community for bearing with us during this hard time. The DDoS attack caused our core team some sleepless nights, but we fought through it. Combined with your support, we will come out of this even stronger than before!
Even if someone does not want you to use secure and private email, we will keep fighting for your right to privacy.
Thank you very much for your support.