DDoS attack on our DNS infrastructure

Multiple DNS providers were attacked to take down Tutanota.

Last night multiple DNS providers were attacked to take down Tutanota. In combination with wrongly cached DNS entries for the tutanota.com domain at different DNS servers, this led to a downtime of several hours for millions of Tutanota users. We had switched DNS entries, but as the propagation takes time, some users did not get access to Tutanota immediately.

Continuous attack on Tutanota

After multiple direct attacks on Tutanota, the attacker yesterday aimed at two providers that host the Tutanota DNS records. As a result these providers went down. We quickly tried to update our DNS records and host them at another provider. This did not work initially because the DNS entries got locked at one of the DNS hosting providers.

Because we couldn't change the DNS entries for our domain, Tutanota was inaccessible for millions of users around the world for most of Wednesday night.

Switching DNS providers

While we were moving another domain to a different registrar, our tutanota.com domain got unlocked again.

We then registered our domain on a third, more robust DNS hosting provider that is able to hold against the ongoing attacks.

We have updated our DNS records, and universal access has finally been restored Thursday morning around 7:30 CET.

Email delivery

These attacks against the domain hosting providers have been completely out of our control. Unfortunately, due to the domain block by one hosting provider during the DDoS, there were no DNS entries available for Tutanota for a certain time-frame.

Due to this, some email providers were not able to deliver emails to Tutanota depending on how long they retried. If a mail server stopped trying, the sender received a message that the email could not be delivered. This issue has been resolved by now.

Remaining accessibility issues

Issues that are remaining now are caused by caching and propagation: Each DNS server does not ask for the next update, until the old DNS entry expires. Some servers cached old nameservers during the time that our domain was locked.

This is the reason why Tutanota is still not accessible for some users, even though our status page says that everything is up and running. DNS entries are slowly propagating so that soon all users can access Tutanota again.

If you need help accessing Tutanota, please check the tips from our community posted here.

Together with your help, we are confident that no attacker - no matter how powerful - will be able to harm Tutanota. As long as we stand together, we will be much stronger than any attacker. Thank you very much for your support.

Here we also want to answer the most frequent questions put to us via social media and email:

Is my data secure?

Yes, all data in Tutanota is securely encrypted and can't be accessed by anyone - not even by us.

What happened to my emails during the DDoS?

Emails received during the DDoS attacks were queued and delivered later. Emails sent to you while there was no DNS entry available for Tutanota (domain being locked) might not have been delivered. In that case, the sender received a bounce message informing them about the temporary problem.

Did someone hack Tutanota?

No, the attackers never hacked the Tutanota servers or gained access to any data stored on our servers. No data was breached.

Do I need to change my password?

No, changing the password is not necessary. Tutanota stores hashes of passwords. It is impossible to derive the actual password from this hash. Thus, no one can know your password, not even we at Tutanota. To protect your password, we use bcrypt and SHA256.

Offline availability

We have already planned to add offline availability to Tutanota. We have now changed the priority of this feature to meet user demands. We understand that you need to access your mailbox at any time, and we are working hard to meet this demand.

Big thanks to the community

Finally, we want to thank the entire Tutanota community for bearing with us during this difficult time. The ongoing DDoS caused our core team some sleepless nights, but we will keep fighting the attacks. Combined with your support, we will come out of this even stronger than before!

Even if someone does not want you to use secure and private email, we will keep fighting for your right to privacy.

Thank you very much for your support.

No comments available