PDA

View Full Version : Evernote Issues Password Reset After Security Breach




MacRumors
Mar 2, 2013, 02:18 PM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2013/03/02/evernote-issues-password-reset-after-security-breach/)


http://images.macrumors.com/article-new/2013/03/evernote.pngNote-taking service Evernote (http://evernote.com) today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset (http://evernote.com/corp/news/password_reset.php).

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked when employees visited iPhoneDevSDK (http://www.macrumors.com/2013/02/19/apple-employees-hacked-by-visiting-iphonedevsk/), an online forum for software developers.

Article Link: Evernote Issues Password Reset After Security Breach (http://www.macrumors.com/2013/03/02/evernote-issues-password-reset-after-security-breach/)



itickings
Mar 2, 2013, 02:32 PM
Better safe than sorry.

Good thing I don't reuse passwords (and seldom reuse usernames) anyways. :)

Jessica Lares
Mar 2, 2013, 02:32 PM
I have been an Evernote user since it was in beta. Sad to see this happen to them.

impulse462
Mar 2, 2013, 02:40 PM
I have been an Evernote user since it was in beta. Sad to see this happen to them.

I haven't been using them since beta, but I've been using them for a long time and I agree. Works amazing for class notes; couldn't imagine surviving in college without it.

abz1981
Mar 2, 2013, 02:51 PM
Image (http://www.macrumors.com/2013/03/02/evernote-issues-password-reset-after-security-breach/)


Image (http://cdn.macrumors.com/article-new/2013/03/evernote.png)Note-taking service Evernote (http://evernote.com) today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset (http://evernote.com/corp/news/password_reset.php).

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked after employees visited iPhoneDevSDK (http://www.macrumors.com/2013/02/19/apple-employees-hacked-by-visiting-iphonedevsk/), an online forum for software developers.

Article Link: Evernote Issues Password Reset After Security Breach (http://www.macrumors.com/2013/03/02/evernote-issues-password-reset-after-security-breach/)

Reported this ages ago via got a tip or whatever it is called link lol.

furi0usbee
Mar 2, 2013, 03:00 PM
Better safe than sorry.

Good thing I don't reuse passwords (and seldom reuse usernames) anyways. :)

What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan

KPOM
Mar 2, 2013, 03:10 PM
There's a reason I don't trust all my financial data to the cloud just yet, and this is it. I like Evernote, but I keep most of my files in unsynched folders. At least Evernote salted and hashed their passwords. But with a certain government (allegedly) making non-stop attempts to hack into the servers of major companies and services, it puts a damper on the rush to the cloud.

James Craner
Mar 2, 2013, 03:11 PM
It is so vital these days to use a password manager, unless you are blessed with a photographic memory and can remember different safe and secure passwords for all your website logins.

No matter how secure you think your own computer is, if one of a growing number of websites gets hacked and your username, which is often your email address and password is taken, you are vulnerable. If you are daft enough to use the same password on other websites, then not only are you venerable on that website, but every website that you use the same password.

I use 1Password.

furi0usbee
Mar 2, 2013, 03:16 PM
I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net

itickings
Mar 2, 2013, 03:31 PM
What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan

One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.

legioxi
Mar 2, 2013, 03:56 PM
What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan

Personally, I use a unique email per site. I have an Office365 business account for my personal email ($4/mo for the basic Exchange mailbox with 25GB) and I have a script that creates an email on the system and adds a rule that filters that email into its own folder. I run it every time I sign up somewhere.
http://legioxi.com/2013/02/23/add-filtered-email-address-in-office365/

Regarding Evernote... anything special in it is encrypted. I also use a unique password that is around 25 characters. I don't have any issues remembering my passwords - and no I don't use common dictionary words. Though it took a while to get into the swing of remembering unique passwords.

For sites I'm not worried about (i.e. forums like this), I share a password though. Even if someone was to get it, the emails I sign up with are random so it wouldn't be any good anywhere else.

Unfortunately when I started doing the unique emails, Macrumors wouldn't send me a new activation email when I switched my account email. So this is a brand new one. Old one was Bogatyr.

furi0usbee
Mar 2, 2013, 04:23 PM
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.

I have several websites/domains, but I would never want to take the time to start using a separate email now for each account. Even though I could just do mymail1@, mymail2@, and just forward them to a master account, I don't feel the need to do that just now. It's better security that's for sure, but I don't know if I need that now. But I will put that on my list of things to consider.

What I do thought, is lie when presented with secret questions for my accounts. So if it says what state was I born, I say any state other than my own. When it says first car, I say some nice Italian number, etc.

Bryan

jennyp
Mar 2, 2013, 05:53 PM
I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net

That isn't strictly true. Your password could be cracked in the first 5 minutes of a run. It's highly unlikely, true, but the proper way to state matters would be to say that it would take that length of time to try all combinations of the characters you use.

</pedantry>

dilbert99
Mar 2, 2013, 06:03 PM
Why do companies still insist on spamming users with emails starting with:

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious

rather than addressing us by name.

turtle777
Mar 2, 2013, 06:37 PM
Why do companies still insist on spamming users with emails starting with:

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious

rather than addressing us by name.

Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

-t

JamesInLA
Mar 2, 2013, 07:01 PM
There's a reason I don't trust all my financial data to the cloud just yet, and this is it. I like Evernote, but I keep most of my files in unsynched folders. At least Evernote salted and hashed their passwords. But with a certain government (allegedly) making non-stop attempts to hack into the servers of major companies and services, it puts a damper on the rush to the cloud.

From the description, it sounds like most of the user data was compromised. If the password salt was stored in the same table as the user name and hashed password, then it's not much help, particularly if they have a few known passwords they can use to try and identify the particular salting & hashing process.

numbersyx
Mar 2, 2013, 08:25 PM
This is pretty shocking. I know people who put their credit card statements and receipts into Evernote. Makes me glad I didn't follow their advice. Ditto all the comments for 1Password...

ChristianJapan
Mar 2, 2013, 09:31 PM
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.

That's what I also do since some time now: Service-specific email aliases. Not sure if that finally helps as I see also spam into generic adresses like Info@<domain> or postmaster@<domain>. The bad guys will adopt to whatever we try.

view2darrel
Mar 2, 2013, 09:35 PM
i change my password last night. i generate my password using 1password. all my password are all random 15-20 characters long with numbers.

maxosx
Mar 2, 2013, 10:02 PM
This event simply emphasizes the value of taking one's password & security plan seriously.

By keeping it dynamic with regular changing of passwords & executing procedures as suggested by those above, one is relatively safe.

VirtualRain
Mar 2, 2013, 10:07 PM
Evernote needs to get serious about data loss and encrypt all data... not just your password or phrases within notes you choose to encrypt.

KPOM
Mar 2, 2013, 10:58 PM
From the description, it sounds like most of the user data was compromised. If the password salt was stored in the same table as the user name and hashed password, then it's not much help, particularly if they have a few known passwords they can use to try and identify the particular salting & hashing process.

Hopefully that isn't the case, but I, too, found their explanation a bit disconcerting in that respect.

Synching and having access to my data, no matter what device I'm on is nice (Windows, Mac, iOS, Android), but if that means the Chinese military can spy on my data, I won't keep anything too sensitive synched. Chances are they don't care about my data, but once it's out there, people who do care may be able to get to it.

dilbert99
Mar 3, 2013, 03:19 AM
Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

-t

I guess I was meaning more specifically that it should say

Dear username

where username does not need to be your real name.

I take your point...but I was always told to ignore any email that is not addressed to yourself. For me >99% of emails addressed as Dear User are either spam or phishing emails

Mitochris
Mar 3, 2013, 03:53 AM
I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.

jennyp
Mar 3, 2013, 05:18 AM
I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.

Valid points, I think. It all tempts me to go back to some kind of secure sneakernet - Knox vault moving from machine to machine...

DavidTheExpert
Mar 3, 2013, 08:33 AM
I noticed a "your Evernote password has changed" message a few hours before I got that security email, and I couldn't log in. I freaked out thinking someone had hax0red my evernote account, so I quickly manually reset my password. I was relieved to log back in and find that none of my notes had been deleted, nor were there any extra notes saying "lolz hacked ur account betch!" Then I was even more relieved when I got the letter from Evernote explaining what had happened.

knucklehead
Mar 3, 2013, 08:49 AM
I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.

You need to encrypt anything you are even remotely concerned about. 1Password's files are already encrypted in Dropbox, so that's OK. I use BoxCryptor for my own sensitive files on Dropbox, but I'll be moving to using it on pretty much everything.

This incident looks like my .mac email address has just become further polluted, and I can look forward to even more spam and phishing emails.
I wish Apple would let me change that from my Apple ID.

pundit
Mar 3, 2013, 12:04 PM
I use dynamic DNS and openVPN with a shared key to access data externally... Then just use a full copy of Onenote on a tablet; it does live shared updating of the notebooks. For me, I don't worry about "Evernote got hacked!"

Of course, its not a solution for the average user; simply too much complexity, but there is no substitution for providing your own security and hosting your own data if you can do it.

lwapps
Mar 3, 2013, 12:18 PM
I have been an Evernote user since it was in beta. Sad to see this happen to them.

It must be the same people behind the twitter and apple attacks too. It seems very likely that they are related.

turtle777
Mar 3, 2013, 02:15 PM
For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.

In case of 1PW, they would need all the time in the world.

As long as you use a long and safe Master Password, encrypted data in the cloud is not an issue.

They will go for a dictionary attack before they try to decrypt your contents.

-t

pmau
Mar 3, 2013, 04:04 PM
Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

-t

Thanks for this remark. You are absolutely spot on.

I hate it when companies mail invoices to you stating billing address and your payment method etc.

My phone company for example writes a completely anonymous message that I can now download my monthly phone bill including call records.

It contains no name, customer id or anything.
This is a really important part of privacy.

japanime
Mar 3, 2013, 05:14 PM
I use Evernote but didn't seem to receive the email warning of the password breach. It certainly wasn't in my inbox.

So, I just searched my Mail.app and discovered that Apple's junk-mail filter had put the Evernote email directly into the trash. :confused:

canyonblue737
Mar 3, 2013, 07:22 PM
I never got an email either but I think I know why... evernote sent the email from a NON-evernote domain that was only registered a few months ago and who's ID looks like it doesn't belong to evernote. It looks EXACTLY like a classic fishing scheme... except evernote has admit it really was from them. Many email services grab these messages because they look so obviously fake. They are now saying on the forums it was due to this happening in the midst of a big email server switch for them and this was the only way they could send out 50 million emails on short notice. To me it says that this is a big company still playing amateur hour when it comes to user security.

1. no 2 factor authentication.
2. SSL only when sending data to their servers.
3. no encryption of ANY KIND of ANY of your notes or notebooks on their servers. if someone gets your primary password, everything is exposed.
4. poor handling of the large data leak... email response, style and timing was all beyond poor. all passwords reset prior to ANY email, twitter, homepage or any other notification sent from evernote. the error alert saturday morning on evernote.com and in apps simply said you were entering the wrong password leading thousands to think they had been hacked with nothing at all explaining what had really happened.

this is a company that proudly has articles on their website saying "how to use evernote at tax time" but does nothing at all to protect the critical nature of user information on their servers. no one does this as poorly in the crowd they want to play in: apple, twitter, google, dropbox etc. it is downright irresponsible for them to imply that critical user data is safe and they haven't even hinted they want to improve it ('cept for 2 factor which they have been implying for a year and never arrived even with the big 5.0 update.)

i hope evernote stops what they are doing, realizes they are becoming a MAJOR player in the cloud space and with 60 million accounts they have to do FAR better. evernote has been iterating like mad on their service which has brought them great success but they need to pour their resources into security they desperately need starting with 2 factor authentication and the ability to encrypt notebooks. only then will evernote be a modern, secure cloud service to store your life's most valuable information.

japanime
Mar 3, 2013, 09:20 PM
I never got an email either but I think I know why... evernote sent the email from a NON-evernote domain that was only registered a few months ago and who's ID looks like it doesn't belong to evernote. It looks EXACTLY like a classic fishing scheme... except evernote has admit it really was from them. ...

Fantastic info. Thanks! I couldn't figure out why the message would have been filtered as "junk."

daveham
Mar 4, 2013, 09:10 AM
This is why I use Dashlane:

1. I never reuse passwords, so it was minimal damage to my security.
2. I got an alert that let me know of the breach even before Evernote did.
3. I changed my passwords on my iPhone while at dinner. Dunzo.

Impact of breach? Minimal. Cost of Dashlane? Free.

:cool:

Will do good
Mar 4, 2013, 07:13 PM
It is so vital these days to use a password manager, unless you are blessed with a photographic memory and can remember different safe and secure passwords for all your website logins.

No matter how secure you think your own computer is, if one of a growing number of websites gets hacked and your username, which is often your email address and password is taken, you are vulnerable. If you are daft enough to use the same password on other websites, then not only are you venerable on that website, but every website that you use the same password.

I use 1Password.

I used 1 password for my not important site that contain no personal data, credit card or financial information.

But I don't feel safe leaving all my important to any one company such as 1 Password. If hackers (China included) can hack into Apple, Facebook, government agencies etc. why can't they hack into 1 Password? Specially WE all know they keep everyone's account and passwords. That who I will target if I really want a big payout. :D

James Craner
Mar 6, 2013, 12:27 PM
I used 1 password for my not important site that contain no personal data, credit card or financial information.

But I don't feel safe leaving all my important to any one company such as 1 Password. If hackers (China included) can hack into Apple, Facebook, government agencies etc. why can't they hack into 1 Password? Specially WE all know they keep everyone's account and passwords. That who I will target if I really want a big payout. :D

Would not do them any good for two reasons :

1. AgileBits (the developer) does not keep details of your 1Password password.

2. Any hacker would need two things to access your password. Physical access to the Password database, which is only stored were you choose to keep it and your 1Password password. Your 1Password database is not stored by Agilebits.

alisagenovese
Mar 17, 2013, 09:08 PM
Anyone had the expereince of losing access to their acount. I have been in contact with evernote. Seems my account was linked to an old email and they can not verify my account so they will not allow me access. They sent me a way to try to access my notebooks on my computer. This is what they told me to o:

We’re sorry you’re unable to access your copy of Evernote Desktop due to an incorrect password, but we’re happy to assist you with getting your notes back into Evernote.

Here’s how to accomplish that:

On Mac:

Your database is in a hidden directory. You can access it by opening the Finder, then selecting "Go" from the top menu and hitting the "Option" key. Once you have done that, you'll see the "Library" folder pop up.

Select it.

~/Library/Containers/com.evernote.Evernote/Data/Library/Application Support/Evernote/accounts/Evernote/<your username>/content

or

~Library/Application Support/Evernote/accounts/Evernote/ <your username>/content

Create a brand new Evernote account with your new, desired username. Note, you will need to use a different email address than the one currently on file with your account. Login to Evernote Desktop for Mac with this username, then drag the “Content” directory onto your desktop.Contact Support for further instruction.

Once you have performed these steps, please reply with your new account username and we will be happy to issue you additional storage space to help you with importing your data to the new account.

I tried and do not see the library files they mention. Does anyone have any other suggestions on how I may recover my notebooks. I feel scared I may have lost them forever :confused:

Thankyou