Update on the recent DDoS attack on Tutanota.

This weekend a sophisticated DDoS attack was launched against Tutanota.

This Saturday a DDoS campaign was launched against the secure email service Tutanota, which led to a downtime of several hours until we were able to mitigate this complex attack. Here we would like to explain how the attack affected Tutanota. We deeply apologize for the downtime and thank all our users for bearing with us during this difficult time. We are currently reviewing and improving our DDoS protection to mitigate similar attacks faster in the future.

Mitigation of DDoS attack

The DDoS attack launched against Tutanota Saturday night was mitigated after several hours. This was the longest downtime of Tutanota in recent years. After this, connectivity remained intermittent for some users with two more short downtimes Sunday and Monday night.

Due to the downtime, Tutanota was not available to its millions of users around the world. To ease any insecurities among our users, here is a summary of what happened:

On Saturday, 15th of August, a sophisticated, multi-layered DDoS attack was launched against Tutanota which led to a downtime of all Tutanota servers. During this attack no data was lost or breached.

We do not know who is behind the attack or why they attacked Tutanota. It looks like someone wants to prevent all of you from using secure and private email, but we won't let that happen! We are committed to fighting for your privacy on all ends.

We are sure that our mitigation strategy will work better in the future, and we are committed to get Tutanota back on track to again reach its usual uptime of around 99.9%:

  • April 2020 99.933%
  • May 2020 99.871%
  • June 2020 99.907%

Here we also want to answer the most frequent questions put to us via social media and email:

Is my data secure?

Yes, all data in Tutanota is securely encrypted and can't be accessed by anyone - not even by us.

What happened to my emails during the DDoS?

Emails received during the DDoS attacks were queued and delivered later. No emails were lost.

Did someone hack Tutanota?

No, the DDoS attack resulted in such a high volume of traffic to our servers that these were unavailable for several hours for our users. However, the attackers never hacked the Tutanota servers or gained access to any data stored on our servers. No data was breached.

Do I need to change my password?

No, changing the password is not necessary. Tutanota stores hashes of passwords. It is impossible to derive the actual password from this hash. Thus, no one can know your password, not even we at Tutanota. To protect your password, we use bcrypt and SHA256.

Why was Tutanota listed on spam lists?

Tutanota was listed on spam lists on Sunday and Monday. This was caused due to an attack against Tutanota with forged IPs. We have contacted the spam list owners to remove Tutanota. We are also currently investigating how to prevent such an attack in the future.

Why is there no status page for Tutanota's availability?

We have long wanted to publish a status page. However, as a privacy-first email service, we cannot use Google services to host a status page (like most services do). Hosting a status page ourselves would be the easiest, but this does not make any sense as the status page would be affected by a DDoS attack as well.

That's why we are currently looking into privacy-friendly options for hosting a status page. If you have any recommendations, please let us know!

Offline availability

We have already planned to add offline availability to Tutanota. We are now considering to move the priority of this feature higher to meet user demands. We understand that you need to access your mailbox at any time, and we are working hard to meet this demand.

Big thanks to the community

Finally, we want to thank the entire Tutanota community for bearing with us during this hard time. The DDoS attack caused our core team some sleepless nights, but we fought through it. Combined with your support, we will come out of this even stronger than before!

Even if someone does not want you to use secure and private email, we will keep fighting for your right to privacy.

Thank you very much for your support.

Black and white picture of Matthias thinking and looking to the right side.
Matthias is co-founder and developer of Tuta, focusing on backend development, architecture and email processing. He writes code and political comments to fight for our human right to privacy. He wants to create an encrypted cloud collaboration platform which is so easy to use and so secure that it locks out all the spies. We all deserve a better internet - one where privacy is the default.
Top posts
Latest posts