User Information Accessed in Coordinated Hacking Attempt on Evernote
Web-based note-sharing service Evernote issued a security notice warning users of “suspicious activity” in their network that resulted in the exposure of usernames, cryptographically protected passwords, and e-mail addresses.
No evidence of data tampering was discovered, and Evernote emphasized that no user payment information was exposed. By issuing a precautionary password reset notice to all its 50 million users, Evernote hopes to avoid any user account breaches that might follow.
“In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost,” said the Evernote Team. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.”
While Evernote’s passwords were cryptographically protected – hashed and salted – cracking them, although time-consuming, could eventually be done. Although the nature of the security breach was not detailed, the company could still be investigating.
Acknowledging that hacking activities on large services are becoming common, the company reassured users they’re constantly improving security to better protect personal and sensitive data. The Evernote Team issued three simple tips on how to create a powerful password, and apologized for the inconvenience by saying that resetting everyone’s password is the only way to make sure no account gets compromised.
“There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:
- Avoid using simple passwords based on dictionary words
- Never use the same password on multiple sites or services
- Never click on ‘reset password’ requests in emails — instead go directly to the service
Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience.”