Cyber Incident Victim: Tutanota
Date:
Sep 2020
Location:
Germany
Summary
A privacy-focused email service provider experienced sustained DDoS attacks, mitigated through a combination of external infrastructure support and internal security enhancements. During mitigation efforts, an overactive IP-blocking mechanism erroneously prevented hundreds of legitimate users from accessing services for several hours, though most users remained unaffected. The organization resolved the configuration error promptly and maintained its commitment to privacy by developing proprietary defenses rather than compromising encryption standards. Concurrently, infrastructure improvements accelerated platform performance while development priorities expanded to include quantum-resistant cryptography prototypes and offline functionality. No ransom demands were acknowledged, with resources allocated to strengthening resilience against future attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2020, Tutanota experienced sustained distributed denial-of-service (DDoS) attacks targeting its email service infrastructure. The attacks coincided with an internal infrastructure issue during a weekend period around September 14, resulting in service disruptions. While Tutanota's security team mitigated most attack traffic through their custom DDoS protection systems, an operational error in their mitigation configuration caused collateral damage. Specifically, an overactive IP-blocking mechanism incorrectly identified legitimate user traffic as malicious, preventing hundreds of users from accessing their accounts for multiple hours on Sunday. The company acknowledged this misconfiguration as the direct cause of the unintended downtime, though the core service remained accessible to most of their millions of users during the attacks. Tutanota confirmed the DDoS campaign constituted a persistent nuisance rather than a complete service outage, with attackers employing both low-volume and application-layer attack vectors against their systems.
Tutanota's response involved immediate corrective actions to modify the faulty IP-blocking parameters, restoring full access to affected users. The company maintained its existing partnership with German DDoS mitigation provider Link11 for handling encrypted, low-volume traffic, while continuing to develop proprietary application-layer defenses to avoid sharing SSL certificates with third parties. Concurrent infrastructure improvements accelerated attack mitigation times and enhanced system performance, with users reporting noticeable speed increases post-incident. Development teams prioritized three ongoing projects: refining DDoS countermeasures, implementing quantum-resistant cryptographic algorithms nearing prototype completion, and initiating complex offline support functionality. Tutanota reiterated its policy against ransom payments or concessions to attackers while apologizing to impacted users and attributing its resilience to maintaining privacy-focused architectural decisions throughout the incident response.