We have to inform you all of a serious issue that has occurred in the last day that has compromised the privacy of a limited portion of members of our community. We take this issue extremely seriously and will be as transparent as we can while working through this issue with you all. The technical, help, and community teams are all here to help. We’ve worked quickly to resolve the issue, ensured there was no leakage of passwords, user credentials, or payment credentials of any kind and are now notifying affected users.
###What happened?
The Envato API provides access to an enormous amount of information that our community put to use in myriad ways in many applications and tools. The vast majority of the information served by the API is not sensitive in nature, but there is a “private” API that contains user-specific information such as sales data and email addresses. Obviously, when different users hit these APIs, the results should be specific to them. However, for a 14 hour period starting at around 10am on Wednesday September 2nd (Australian Eastern Standard Time), our Content Delivery Network (CDN) was misconfigured in such a way that it cached the results of these private API calls and delivered those cached results to users for whom they were not intended. This also affected some Market features such as the downloading of statements in CSV format.
Our users alerted us to this issue and it was quickly diagnosed and resolved once we became aware of it.
###What are we doing about it?
We immediately shut down the API, diagnosed the issue and brought it back up once it was safe to do so with the faulty caching turned off. We are now collating and analysing all the information we have from the period in question so that we can determine who was specifically affected and in what way. We must ask those of you who became inadvertent recipients of another user’s information to dispose of it immediately. Your friends in the community whose information was leaked are also innocent parties here.
We will be reaching out directly to the people affected to inform them of the situation and to let them know what information was vulnerable during the incident. Out of our community of millions, our initial investigations indicate that the number of affected people will number in the hundreds, the likelihood at this point is that you were not affected. We should also be very clear that no passwords, credit card numbers or other credentials have been exposed that would in any way threaten the safety of your user accounts or the funds you hold with us.
Once again, everyone at Envato is deeply sorry for having let this happen to our community and we will do everything we can to ensure it never happens again.