Tutanota has now been under recurring DDoS attacks for almost one month. To this day, we have not received any notice from the attackers - no one has come forward or tried to blackmail us. Due to the level of sophistication of the ongoing attacks and changing attack vectors, we also constantly adapt to their attacks.
As they are not asking for any compensation, the only goal the attackers can have is to harm Tutanota and to stop people around the world to use encrypted emails. This is direct attack on our freedom and our right to privacy. Now is the time to support Tutanota and to fight with us for our right to privacy!
Please support our fight by upgrading your Tutanota account or by donating.
While the attacks are ongoing, we are working hard to mitigate the constantly changing attacks. To achieve this, we have implemented improvements directly in Tutanota, which have made it already much harder for attackers and stopped several attack vectors. We are also working closely with our DDoS mitigation service to improve ours and their system.
While we have not yet achieved to stop any and all attacks, successful attacks have become much fewer in number and much shorter in time. Nevertheless, we apologize for any inconvenience caused by these outages and keep working hard on improving the system further.
Together with your help, we are confident that no attacker - no matter how powerful - will be able to harm Tutanota. When we stand together, we will be much stronger than any attacker. Thank you very much for your support.
Here we also want to answer the most frequent questions put to us via social media and email:
Yes, all data in Tutanota is securely encrypted and can't be accessed by anyone - not even by us.
Emails received during the DDoS attacks were queued and delivered later. No emails were lost.
No, the DDoS attack resulted in such a high volume of traffic to our servers that these were unavailable for several hours for our users. However, the attackers never hacked the Tutanota servers or gained access to any data stored on our servers. No data was breached.
No, changing the password is not necessary. Tutanota stores hashes of passwords. It is impossible to derive the actual password from this hash. Thus, no one can know your password, not even we at Tutanota. To protect your password, we use bcrypt and SHA256.
We have long wanted to publish a status page. However, as a privacy-first email service, we cannot use Google services to host a status page (like most services do). Hosting a status page ourselves would be the easiest, but this does not make any sense as the status page would be affected by a DDoS attack as well. We are preparing a status page right now and hope that it will go live in a couple of days.
We have already planned to add offline availability to Tutanota. We have now changed the priority of this feature to meet user demands. We understand that you need to access your mailbox at any time, and we are working hard to meet this demand.
Finally, we want to thank the entire Tutanota community for bearing with us during this hard time. The ongoing DDoS caused our core team some sleepless nights, but we keep fighting the attacks. Combined with your support, we will come out of this even stronger than before!
Even if someone does not want you to use secure and private email, we will keep fighting for your right to privacy.
Thank you very much for your support.