Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > iOS Blog Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Mar 2, 2013, 02:18 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Evernote Issues Password Reset After Security Breach




Note-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.
Quote:
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked when employees visited iPhoneDevSDK, an online forum for software developers.

Article Link: Evernote Issues Password Reset After Security Breach
MacRumors is offline   0 Reply With Quote
Old Mar 2, 2013, 02:32 PM   #2
itickings
macrumors 6502a
 
itickings's Avatar
 
Join Date: Apr 2007
Better safe than sorry.

Good thing I don't reuse passwords (and seldom reuse usernames) anyways.
__________________
Rawr!
itickings is offline   0 Reply With Quote
Old Mar 2, 2013, 02:32 PM   #3
Jessica Lares
macrumors 603
 
Jessica Lares's Avatar
 
Join Date: Oct 2009
Location: Near Dallas, Texas, USA
I have been an Evernote user since it was in beta. Sad to see this happen to them.
__________________
Have You Hugged Your Mac Today?
Daily Expressions | iMac G4 | Late 2011 13" MacBook Pro | iPod Nano (7G) | iPad Mini | iPod Touch (5G) | iPhone 5S
Jessica Lares is offline   0 Reply With Quote
Old Mar 2, 2013, 02:40 PM   #4
impulse462
macrumors 65816
 
impulse462's Avatar
 
Join Date: Jun 2009
Location: SF Bay Area
Quote:
Originally Posted by Jessica Lares View Post
I have been an Evernote user since it was in beta. Sad to see this happen to them.
I haven't been using them since beta, but I've been using them for a long time and I agree. Works amazing for class notes; couldn't imagine surviving in college without it.
__________________
13.3" MacBook Air, 1.3GHz Core i5, 4GB RAM, 128GB SSD; 16GB Gold iPhone 5s
impulse462 is offline   0 Reply With Quote
Old Mar 2, 2013, 02:51 PM   #5
abz1981
macrumors 6502a
 
Join Date: Jan 2011
Quote:
Originally Posted by MacRumors View Post
Image


Note-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked after employees visited iPhoneDevSDK, an online forum for software developers.

Article Link: Evernote Issues Password Reset After Security Breach
Reported this ages ago via got a tip or whatever it is called link lol.
__________________
13.3" Macbook Air 2011, 1.7GHz, 4 GB RAM, 128GB flash storage; Apple Iphone 5 16GIG Black.
abz1981 is offline   0 Reply With Quote
Old Mar 2, 2013, 03:00 PM   #6
furi0usbee
macrumors 6502a
 
Join Date: Jul 2008
Quote:
Originally Posted by itickings View Post
Better safe than sorry.

Good thing I don't reuse passwords (and seldom reuse usernames) anyways.
What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan
__________________
YouTube - Apple iPhone Support Hotline (Actual Phone Call Recording)
MacBook Pro 15" (Retina) 2.3GHz i7 / 8GB RAM  iPad mini (AT&T) (16GB)
furi0usbee is offline   0 Reply With Quote
Old Mar 2, 2013, 03:10 PM   #7
KPOM
macrumors G3
 
Join Date: Oct 2010
There's a reason I don't trust all my financial data to the cloud just yet, and this is it. I like Evernote, but I keep most of my files in unsynched folders. At least Evernote salted and hashed their passwords. But with a certain government (allegedly) making non-stop attempts to hack into the servers of major companies and services, it puts a damper on the rush to the cloud.
KPOM is offline   1 Reply With Quote
Old Mar 2, 2013, 03:11 PM   #8
James Craner
macrumors 68000
 
James Craner's Avatar
 
Join Date: Sep 2002
Location: Bristol, UK
It is so vital these days to use a password manager, unless you are blessed with a photographic memory and can remember different safe and secure passwords for all your website logins.

No matter how secure you think your own computer is, if one of a growing number of websites gets hacked and your username, which is often your email address and password is taken, you are vulnerable. If you are daft enough to use the same password on other websites, then not only are you venerable on that website, but every website that you use the same password.

I use 1Password.
__________________
Productivity Orchard Be more productive with your Mac
James Craner is offline   1 Reply With Quote
Old Mar 2, 2013, 03:16 PM   #9
furi0usbee
macrumors 6502a
 
Join Date: Jul 2008
I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net
__________________
YouTube - Apple iPhone Support Hotline (Actual Phone Call Recording)
MacBook Pro 15" (Retina) 2.3GHz i7 / 8GB RAM  iPad mini (AT&T) (16GB)
furi0usbee is offline   0 Reply With Quote
Old Mar 2, 2013, 03:31 PM   #10
itickings
macrumors 6502a
 
itickings's Avatar
 
Join Date: Apr 2007
Quote:
Originally Posted by furi0usbee View Post
What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.
__________________
Rawr!
itickings is offline   1 Reply With Quote
Old Mar 2, 2013, 03:56 PM   #11
legioxi
macrumors regular
 
Join Date: Mar 2013
Quote:
Originally Posted by furi0usbee View Post
What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

Bryan
Personally, I use a unique email per site. I have an Office365 business account for my personal email ($4/mo for the basic Exchange mailbox with 25GB) and I have a script that creates an email on the system and adds a rule that filters that email into its own folder. I run it every time I sign up somewhere.
http://legioxi.com/2013/02/23/add-fi...-in-office365/

Regarding Evernote... anything special in it is encrypted. I also use a unique password that is around 25 characters. I don't have any issues remembering my passwords - and no I don't use common dictionary words. Though it took a while to get into the swing of remembering unique passwords.

For sites I'm not worried about (i.e. forums like this), I share a password though. Even if someone was to get it, the emails I sign up with are random so it wouldn't be any good anywhere else.

Unfortunately when I started doing the unique emails, Macrumors wouldn't send me a new activation email when I switched my account email. So this is a brand new one. Old one was Bogatyr.
legioxi is offline   0 Reply With Quote
Old Mar 2, 2013, 04:23 PM   #12
furi0usbee
macrumors 6502a
 
Join Date: Jul 2008
Quote:
Originally Posted by itickings View Post
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.
I have several websites/domains, but I would never want to take the time to start using a separate email now for each account. Even though I could just do mymail1@, mymail2@, and just forward them to a master account, I don't feel the need to do that just now. It's better security that's for sure, but I don't know if I need that now. But I will put that on my list of things to consider.

What I do thought, is lie when presented with secret questions for my accounts. So if it says what state was I born, I say any state other than my own. When it says first car, I say some nice Italian number, etc.

Bryan
__________________
YouTube - Apple iPhone Support Hotline (Actual Phone Call Recording)
MacBook Pro 15" (Retina) 2.3GHz i7 / 8GB RAM  iPad mini (AT&T) (16GB)
furi0usbee is offline   1 Reply With Quote
Old Mar 2, 2013, 05:53 PM   #13
jennyp
macrumors 6502
 
Join Date: Oct 2007
Quote:
Originally Posted by furi0usbee View Post
I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net
That isn't strictly true. Your password could be cracked in the first 5 minutes of a run. It's highly unlikely, true, but the proper way to state matters would be to say that it would take that length of time to try all combinations of the characters you use.

</pedantry>
jennyp is offline   2 Reply With Quote
Old Mar 2, 2013, 06:03 PM   #14
dilbert99
macrumors regular
 
Join Date: Jul 2012
Why do companies still insist on spamming users with emails starting with:

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious

rather than addressing us by name.
dilbert99 is offline   0 Reply With Quote
Old Mar 2, 2013, 06:37 PM   #15
turtle777
macrumors 6502
 
Join Date: Apr 2004
Quote:
Originally Posted by dilbert99 View Post
Why do companies still insist on spamming users with emails starting with:

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious

rather than addressing us by name.
Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

-t
turtle777 is offline   0 Reply With Quote
Old Mar 2, 2013, 07:01 PM   #16
JamesInLA
macrumors member
 
Join Date: May 2012
Quote:
Originally Posted by KPOM View Post
There's a reason I don't trust all my financial data to the cloud just yet, and this is it. I like Evernote, but I keep most of my files in unsynched folders. At least Evernote salted and hashed their passwords. But with a certain government (allegedly) making non-stop attempts to hack into the servers of major companies and services, it puts a damper on the rush to the cloud.
From the description, it sounds like most of the user data was compromised. If the password salt was stored in the same table as the user name and hashed password, then it's not much help, particularly if they have a few known passwords they can use to try and identify the particular salting & hashing process.
JamesInLA is offline   0 Reply With Quote
Old Mar 2, 2013, 08:25 PM   #17
numbersyx
macrumors 65816
 
numbersyx's Avatar
 
Join Date: Sep 2006
This is pretty shocking. I know people who put their credit card statements and receipts into Evernote. Makes me glad I didn't follow their advice. Ditto all the comments for 1Password...
numbersyx is offline   0 Reply With Quote
Old Mar 2, 2013, 09:31 PM   #18
ChristianJapan
macrumors Demi-God
 
ChristianJapan's Avatar
 
Join Date: May 2010
Location: 日本
Quote:
Originally Posted by itickings View Post
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.
That's what I also do since some time now: Service-specific email aliases. Not sure if that finally helps as I see also spam into generic adresses like Info@<domain> or postmaster@<domain>. The bad guys will adopt to whatever we try.
__________________
Member of MacRumors.com Folding@Home Team (#3446) & developer of the F@H Mobile Monitoring app.
ChristianJapan is offline   0 Reply With Quote
Old Mar 2, 2013, 09:35 PM   #19
view2darrel
macrumors member
 
Join Date: Jul 2012
i change my password last night. i generate my password using 1password. all my password are all random 15-20 characters long with numbers.
view2darrel is offline   0 Reply With Quote
Old Mar 2, 2013, 10:02 PM   #20
maxosx
macrumors 68020
 
Join Date: Dec 2012
Location: Southern California
This event simply emphasizes the value of taking one's password & security plan seriously.

By keeping it dynamic with regular changing of passwords & executing procedures as suggested by those above, one is relatively safe.
maxosx is offline   1 Reply With Quote
Old Mar 2, 2013, 10:07 PM   #21
VirtualRain
macrumors 603
 
Join Date: Aug 2008
Location: Vancouver, BC
Evernote needs to get serious about data loss and encrypt all data... not just your password or phrases within notes you choose to encrypt.
__________________
tools: nMP for photography, rMBP for working, iPad for surfing, iPhone for communicating, Mac Mini for entertaining
Canon tools: 5D Mark III 24-105L/70-300L/35L/50L/85L for capturing
VirtualRain is offline   0 Reply With Quote
Old Mar 2, 2013, 10:58 PM   #22
KPOM
macrumors G3
 
Join Date: Oct 2010
Quote:
Originally Posted by JamesInLA View Post
From the description, it sounds like most of the user data was compromised. If the password salt was stored in the same table as the user name and hashed password, then it's not much help, particularly if they have a few known passwords they can use to try and identify the particular salting & hashing process.
Hopefully that isn't the case, but I, too, found their explanation a bit disconcerting in that respect.

Synching and having access to my data, no matter what device I'm on is nice (Windows, Mac, iOS, Android), but if that means the Chinese military can spy on my data, I won't keep anything too sensitive synched. Chances are they don't care about my data, but once it's out there, people who do care may be able to get to it.
KPOM is offline   0 Reply With Quote
Old Mar 3, 2013, 03:19 AM   #23
dilbert99
macrumors regular
 
Join Date: Jul 2012
Quote:
Originally Posted by turtle777 View Post
Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

-t
I guess I was meaning more specifically that it should say

Dear username

where username does not need to be your real name.

I take your point...but I was always told to ignore any email that is not addressed to yourself. For me >99% of emails addressed as Dear User are either spam or phishing emails
dilbert99 is offline   0 Reply With Quote
Old Mar 3, 2013, 03:53 AM   #24
Mitochris
macrumors newbie
 
Join Date: Feb 2011
I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.
Mitochris is offline   0 Reply With Quote
Old Mar 3, 2013, 05:18 AM   #25
jennyp
macrumors 6502
 
Join Date: Oct 2007
Quote:
Originally Posted by Mitochris View Post
I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.
Valid points, I think. It all tempts me to go back to some kind of secure sneakernet - Knox vault moving from machine to machine...
jennyp is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > iOS Blog Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Ubisoft security breach skippymac Console Games 3 Jul 4, 2013 05:58 PM
Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth MacRumors MacRumors.com News Discussion 190 May 4, 2013 12:30 AM
General: FYI Apple shut down Apple ID and iCloud password reset due to security flaw BumpyFlatline Jailbreaks and iOS Hacks 4 Mar 23, 2013 08:35 AM
Evernote Security Notice: Service-wide Password Reset Michaelgtrusa Mac Applications and Mac App Store 2 Mar 2, 2013 05:27 PM
Apple Flooded with iCloud Password Reset Requests Amid Tightened Account Security Controls MacRumors MacRumors.com News Discussion 91 Sep 26, 2012 02:03 PM

Forum Jump

All times are GMT -5. The time now is 09:01 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC