If a third party decided to be malicious they could upload and delete files in your ftp directory, but not download. API keys also grant access to your personal account info, balance, sales data, statement etc – so you should be careful to only give them to trusted third parties.
The change we’re making on FTP is to reduce the current functionality of password or API key to API key only. We have updated our FTP software to show a more helpful error message on failed login.
Even if API key is a bit more esily acquirable by someone with dark intetntions, the FTP is just used for uploading, there is not too much harm that could be done. But the FTP could be hammered by password brute force attacks or other things, it’s best to only use our passwords for logging in the marketplaces (wish there was ssl).
Hope this changes will bring role-life better for Envato and Marketplace network. Thanks for the info.