Evernote Issues Password Reset After Security Breach

Discussion in 'iOS Blog Discussion' started by MacRumors, Mar 2, 2013.

  1. macrumors bot


    Apr 12, 2001

    Note-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.

    While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.
    All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

    Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked when employees visited iPhoneDevSDK, an online forum for software developers.

    Article Link: Evernote Issues Password Reset After Security Breach
  2. macrumors 6502a


    Apr 14, 2007
    Better safe than sorry.

    Good thing I don't reuse passwords (and seldom reuse usernames) anyways. :)
  3. macrumors G3

    Jessica Lares

    Oct 31, 2009
    Near Dallas, Texas, USA
    I have been an Evernote user since it was in beta. Sad to see this happen to them.
  4. macrumors 65816


    Jun 3, 2009
    SF Bay Area
    I haven't been using them since beta, but I've been using them for a long time and I agree. Works amazing for class notes; couldn't imagine surviving in college without it.
  5. macrumors 65816

    Jan 3, 2011
    Reported this ages ago via got a tip or whatever it is called link lol.
  6. macrumors 65816


    Jul 11, 2008
    What do you use then? Most websites set email address as username. Do you have dozens of email addresses? 22/64 of my logins require an email address as username.

    I'm using 1Password as my manager, and use 20 character passwords, never repeat a password.

  7. macrumors G4

    Oct 23, 2010
    There's a reason I don't trust all my financial data to the cloud just yet, and this is it. I like Evernote, but I keep most of my files in unsynched folders. At least Evernote salted and hashed their passwords. But with a certain government (allegedly) making non-stop attempts to hack into the servers of major companies and services, it puts a damper on the rush to the cloud.
  8. macrumors 68000

    James Craner

    Sep 13, 2002
    Bristol, UK
    It is so vital these days to use a password manager, unless you are blessed with a photographic memory and can remember different safe and secure passwords for all your website logins.

    No matter how secure you think your own computer is, if one of a growing number of websites gets hacked and your username, which is often your email address and password is taken, you are vulnerable. If you are daft enough to use the same password on other websites, then not only are you venerable on that website, but every website that you use the same password.

    I use 1Password.
  9. macrumors 65816


    Jul 11, 2008
    I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

  10. macrumors 6502a


    Apr 14, 2007
    One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

    1Password is really nice.
  11. macrumors 6502a

    Mar 2, 2013
    Personally, I use a unique email per site. I have an Office365 business account for my personal email ($4/mo for the basic Exchange mailbox with 25GB) and I have a script that creates an email on the system and adds a rule that filters that email into its own folder. I run it every time I sign up somewhere.

    Regarding Evernote... anything special in it is encrypted. I also use a unique password that is around 25 characters. I don't have any issues remembering my passwords - and no I don't use common dictionary words. Though it took a while to get into the swing of remembering unique passwords.

    For sites I'm not worried about (i.e. forums like this), I share a password though. Even if someone was to get it, the emails I sign up with are random so it wouldn't be any good anywhere else.

    Unfortunately when I started doing the unique emails, Macrumors wouldn't send me a new activation email when I switched my account email. So this is a brand new one. Old one was Bogatyr.
  12. macrumors 65816


    Jul 11, 2008
    I have several websites/domains, but I would never want to take the time to start using a separate email now for each account. Even though I could just do mymail1@, mymail2@, and just forward them to a master account, I don't feel the need to do that just now. It's better security that's for sure, but I don't know if I need that now. But I will put that on my list of things to consider.

    What I do thought, is lie when presented with secret questions for my accounts. So if it says what state was I born, I say any state other than my own. When it says first car, I say some nice Italian number, etc.

  13. macrumors 6502

    Oct 27, 2007
    That isn't strictly true. Your password could be cracked in the first 5 minutes of a run. It's highly unlikely, true, but the proper way to state matters would be to say that it would take that length of time to try all combinations of the characters you use.

  14. macrumors regular

    Jul 23, 2012
    Why do companies still insist on spamming users with emails starting with:

    Dear Evernote user,

    Evernote's Operations & Security team has discovered and blocked suspicious

    rather than addressing us by name.
  15. macrumors 6502a

    Apr 30, 2004
    Because emails can be easily intercepted, and not everyone is keen on having his name associated with his email address.

  16. macrumors member

    May 28, 2012
    From the description, it sounds like most of the user data was compromised. If the password salt was stored in the same table as the user name and hashed password, then it's not much help, particularly if they have a few known passwords they can use to try and identify the particular salting & hashing process.
  17. macrumors 65816


    Sep 29, 2006
    This is pretty shocking. I know people who put their credit card statements and receipts into Evernote. Makes me glad I didn't follow their advice. Ditto all the comments for 1Password...
  18. macrumors 68040


    May 10, 2010
    That's what I also do since some time now: Service-specific email aliases. Not sure if that finally helps as I see also spam into generic adresses like Info@<domain> or postmaster@<domain>. The bad guys will adopt to whatever we try.
  19. macrumors member

    Jul 26, 2012
    i change my password last night. i generate my password using 1password. all my password are all random 15-20 characters long with numbers.
  20. macrumors 68020

    Dec 13, 2012
    Southern California
    This event simply emphasizes the value of taking one's password & security plan seriously.

    By keeping it dynamic with regular changing of passwords & executing procedures as suggested by those above, one is relatively safe.
  21. macrumors 603


    Aug 1, 2008
    Vancouver, BC
    Evernote needs to get serious about data loss and encrypt all data... not just your password or phrases within notes you choose to encrypt.
  22. macrumors G4

    Oct 23, 2010
    Hopefully that isn't the case, but I, too, found their explanation a bit disconcerting in that respect.

    Synching and having access to my data, no matter what device I'm on is nice (Windows, Mac, iOS, Android), but if that means the Chinese military can spy on my data, I won't keep anything too sensitive synched. Chances are they don't care about my data, but once it's out there, people who do care may be able to get to it.
  23. macrumors regular

    Jul 23, 2012
    I guess I was meaning more specifically that it should say

    Dear username

    where username does not need to be your real name.

    I take your point...but I was always told to ignore any email that is not addressed to yourself. For me >99% of emails addressed as Dear User are either spam or phishing emails
  24. macrumors newbie

    Feb 9, 2011
    I don't use evernote for anything sensitive, but I am more worried what it implies. If evernote is hacked, will syncing solutions, such as icloud of dropbox be targeted? For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
    In my opinion, companies and especially governments need to be much more proactive in protecting the public from internet crime. Of course, if it's the governments doing, we have a problem.
  25. macrumors 6502

    Oct 27, 2007
    Valid points, I think. It all tempts me to go back to some kind of secure sneakernet - Knox vault moving from machine to machine...

Share This Page