Evernote password reset: Data-protection FAIL

Evernote's password protection found wanting, as hackers filch data.

Evernote password protect reset

Evernote, the cloud-based note-taking service, has 'fessed up to being hacked. It seems the attackers made off with users' email addresses and the password database. The passwords were salted and hashed, but there's no word on how strongly.

In IT Blogwatch, bloggers chalk up another high-profile cloud intrusion.

Your humble blogwatcher curated these bloggy bits for your entertainment.

Juan Carlos Perez reportz:

Evernote...is forcing all of its 50 million users to change their passwords after...a hacker...gained access to Evernote accounts' usernames, email addresses and passwords. ... There is no evidence that the malicious hackers accessed user content nor...customers' payment information.

...

Evernote is the latest victim in a recent string of hacking incidents against high-profile technology companies.  MORE

Brian Krebs adds this advice:

If you use Evernote (heck, even if you don’t), now is a great time to review your password practices. [Don't] reus[e] your email password at any other site.

...

Also...hashing and salting [can be] far from solid protection. ...the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye. ...some of the strongest passwords aren’t words at all but multi-word phrases.  MORE

The faceless "Evernote team" blog thuswise:

As a precaution to protect your data, we have decided to implement a password reset. ... Even though this information was accessed, the passwords stored by Evernote...are hashed and salted. ... [But] in an abundance of caution, we are requiring all users to reset their Evernote account passwords.

...

As recent events with other large services have demonstrated, this type of activity is becoming more common. ... We apologize for the annoyance of having to change your password.  MORE

But Graham Cluley notes the oint in the flyment:

Evernote, quite responsibly, has sent out emails to its users [which] goes on to give some password advice - including a warning: "Never click on 'reset password' requests in emails - instead go directly to the service."

...

But take a closer look at the email...with the subject line "Evernote Security Notice: Service-wide Password Reset"...in the same email that Evernote tells users not to click on 'reset password' requests sent via email, they have clickable links. And...the links don't go directly to evernote.com, but...to a site called mkt5371.

...

You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.  MORE

And Anthony Northcutt fears the worst:

...what kind of hashing or encryption [did] they use to store passwords? I've commented on their blog and their Facebook page asking for more transparency but have yet to receive any reply.  MORE

Meanwhile, Sean Percival hilariously quips:

Evernote to change its name to Ever Notice Your Grocery List Got Hacked?  MORE

In a similar vein, B.F. Andreas makes lemonade:

To whoever cracked Evernote:

Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer.  MORE

Computerworld Blogs Newsletter

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.  

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies