Evernote Issues Password Reset After Security Breach

MacRumors · Mar 2, 2013

Note-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked when employees visited iPhoneDevSDK, an online forum for software developers.

Article Link: Evernote Issues Password Reset After Security Breach

itickings · Mar 2, 2013

Better safe than sorry.

Good thing I don't reuse passwords (and seldom reuse usernames) anyways.

Jessica Lares · Mar 2, 2013

I have been an Evernote user since it was in beta. Sad to see this happen to them.

impulse462 · Mar 2, 2013

Jessica Lares said:
I have been an Evernote user since it was in beta. Sad to see this happen to them.

I haven't been using them since beta, but I've been using them for a long time and I agree. Works amazing for class notes; couldn't imagine surviving in college without it.

abz1981 · Mar 2, 2013

MacRumors said:
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]

Image
Note-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked after employees visited iPhoneDevSDK, an online forum for software developers.

Article Link: Evernote Issues Password Reset After Security Breach

Reported this ages ago via got a tip or whatever it is called link lol.

furi0usbee · Mar 2, 2013

itickings said:
Better safe than sorry.

Good thing I don't reuse passwords (and seldom reuse usernames) anyways.

What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan

KPOM · Mar 2, 2013

There's a reason I don't trust all my financial data to the cloud just yet, and this is it. I like Evernote, but I keep most of my files in unsynched folders. At least Evernote salted and hashed their passwords. But with a certain government (allegedly) making non-stop attempts to hack into the servers of major companies and services, it puts a damper on the rush to the cloud.

James_C · Mar 2, 2013

It is so vital these days to use a password manager, unless you are blessed with a photographic memory and can remember different safe and secure passwords for all your website logins.

No matter how secure you think your own computer is, if one of a growing number of websites gets hacked and your username, which is often your email address and password is taken, you are vulnerable. If you are daft enough to use the same password on other websites, then not only are you venerable on that website, but every website that you use the same password.

I use 1Password.

furi0usbee · Mar 2, 2013

I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net

itickings · Mar 2, 2013

furi0usbee said:
What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan

One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.

legioxi · Mar 2, 2013

furi0usbee said:
What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan

Personally, I use a unique email per site. I have an Office365 business account for my personal email ($4/mo for the basic Exchange mailbox with 25GB) and I have a script that creates an email on the system and adds a rule that filters that email into its own folder. I run it every time I sign up somewhere.
http://legioxi.com/2013/02/23/add-filtered-email-address-in-office365/

Regarding Evernote... anything special in it is encrypted. I also use a unique password that is around 25 characters. I don't have any issues remembering my passwords - and no I don't use common dictionary words. Though it took a while to get into the swing of remembering unique passwords.

For sites I'm not worried about (i.e. forums like this), I share a password though. Even if someone was to get it, the emails I sign up with are random so it wouldn't be any good anywhere else.

Unfortunately when I started doing the unique emails, Macrumors wouldn't send me a new activation email when I switched my account email. So this is a brand new one. Old one was Bogatyr.

furi0usbee · Mar 2, 2013

itickings said:
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.

I have several websites/domains, but I would never want to take the time to start using a separate email now for each account. Even though I could just do mymail1@, mymail2@, and just forward them to a master account, I don't feel the need to do that just now. It's better security that's for sure, but I don't know if I need that now. But I will put that on my list of things to consider.

What I do thought, is lie when presented with secret questions for my accounts. So if it says what state was I born, I say any state other than my own. When it says first car, I say some nice Italian number, etc.

Bryan

jennyp · Mar 2, 2013

furi0usbee said:
I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net

That isn't strictly true. Your password could be cracked in the first 5 minutes of a run. It's highly unlikely, true, but the proper way to state matters would be to say that it would take that length of time to try all combinations of the characters you use.

</pedantry>

dilbert99 · Mar 2, 2013

Why do companies still insist on spamming users with emails starting with:

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious

rather than addressing us by name.

turtle777 · Mar 2, 2013

dilbert99 said:
Why do companies still insist on spamming users with emails starting with:

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious

rather than addressing us by name.

Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

-t

JamesInLA · Mar 2, 2013

KPOM said:
There's a reason I don't trust all my financial data to the cloud just yet, and this is it. I like Evernote, but I keep most of my files in unsynched folders. At least Evernote salted and hashed their passwords. But with a certain government (allegedly) making non-stop attempts to hack into the servers of major companies and services, it puts a damper on the rush to the cloud.

From the description, it sounds like most of the user data was compromised. If the password salt was stored in the same table as the user name and hashed password, then it's not much help, particularly if they have a few known passwords they can use to try and identify the particular salting & hashing process.

numbersyx · Mar 2, 2013

This is pretty shocking. I know people who put their credit card statements and receipts into Evernote. Makes me glad I didn't follow their advice. Ditto all the comments for 1Password...

ChristianVirtual · Mar 2, 2013

itickings said:
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.

That's what I also do since some time now: Service-specific email aliases. Not sure if that finally helps as I see also spam into generic adresses like Info@<domain> or postmaster@<domain>. The bad guys will adopt to whatever we try.

view2darrel · Mar 2, 2013

i change my password last night. i generate my password using 1password. all my password are all random 15-20 characters long with numbers.

maxosx · Mar 2, 2013

This event simply emphasizes the value of taking one's password & security plan seriously.

By keeping it dynamic with regular changing of passwords & executing procedures as suggested by those above, one is relatively safe.

VirtualRain · Mar 2, 2013

Evernote needs to get serious about data loss and encrypt all data... not just your password or phrases within notes you choose to encrypt.

KPOM · Mar 2, 2013

JamesInLA said:
From the description, it sounds like most of the user data was compromised. If the password salt was stored in the same table as the user name and hashed password, then it's not much help, particularly if they have a few known passwords they can use to try and identify the particular salting & hashing process.

Hopefully that isn't the case, but I, too, found their explanation a bit disconcerting in that respect.

Synching and having access to my data, no matter what device I'm on is nice (Windows, Mac, iOS, Android), but if that means the Chinese military can spy on my data, I won't keep anything too sensitive synched. Chances are they don't care about my data, but once it's out there, people who do care may be able to get to it.

dilbert99 · Mar 3, 2013

turtle777 said:
Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

-t

I guess I was meaning more specifically that it should say

Dear username

where username does not need to be your real name.

I take your point...but I was always told to ignore any email that is not addressed to yourself. For me >99% of emails addressed as Dear User are either spam or phishing emails

Mitochris · Mar 3, 2013

I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.

jennyp · Mar 3, 2013

Mitochris said:
I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.

Valid points, I think. It all tempts me to go back to some kind of secure sneakernet - Knox vault moving from machine to machine...

Evernote Issues Password Reset After Security Breach

macrumors bot

macrumors 6502a

macrumors G3

macrumors 68020

macrumors 65816

macrumors 68000

macrumors P6

macrumors 68030

macrumors 68000

macrumors 6502a

macrumors 6502a

macrumors 68000

macrumors 6502a

macrumors 68020

macrumors 6502a

macrumors member

macrumors 65816

macrumors 601

macrumors member

macrumors 68020

macrumors 603

macrumors P6

macrumors 68020

macrumors regular

macrumors 6502a

Our Staff