It's wise to be concerned, but in this case the instructions are real. They are dealing with the aftermath of the Heartbleed bug, which might have let someone get to your current password on any websites that relied on OpenSSL for their security. Now that they have patched their sites, everybody needs to change passwords to be safe. And to be doubly secure, make sure you use a different, unguessable password at each site.
To verify the instructions you were given, examine the URL in the email and make sure it goes to one of Envato's domains. Don't just look at the URL as it appears in the email; look at the HTML code to see where it really points. If the domain in the URL looks weird or you just aren't sure, contact Envato's support people.