Sophos Cloud Optix
Evernote, the online note-taking service, has posted an advisory informing its near 50 million users that it has suffered a serious security breach that saw hackers steal usernames, associated email addresses and encrypted passwords.
It’s not clear how the hackers managed to gain access to Evernote’s systems, or how long the hackers had access to Evernote’s account information.
However, in an interview with TechCrunch, Evernote said that they had first noticed suspicious activity on February 28th.
The good news is that no payment details were stolen, and according to the company the hackers were not able to access notes that users had stored on the Evernote service.
Furthermore, it sounds as though the passwords were encrypted, using hashes and salting to prevent login details falling into the wrong hands. (It would be reassuring – of course – to have more details shared by Evernote of how the passwords were hashed and salted).
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.
What’s not good news is that the hackers now have access to the usernames and email addresses of Evernote customers. It is easy to imagine how this information could be abused – for instance, the hackers could send out spam emails to those users claiming to come from Evernote, and trick them into visiting a malicious website.
And, of course, it’s another cautionary tale about the risks which can exist with trusting the cloud to look after your personal information. Evernote sounds to me like it’s another online service that would benefit from providing its users with additional account security – such as two factor authentication.
Evernote advises users to choose a strong password, and to be suspicious of reset password links sent to users via email. Furthermore, everyone should ensure that they are not using the same password on multiple sites.
Evernote appears to have acted reasonably rapidly in response to this security incident, and it will be interesting to see if they share any more information about how the hack might have occurred in the coming days.
Further reading: Evernote shoots itself in foot over “never click on ‘reset password’ requests” advice
As always, great post and it is (sadly) no longer really surprising to hear of a cloud service getting its systems compromised. I agree with you that it is pretty useful (and important) for us to learn a bit more about what actually happened here.
Interestingly, Evernote never notified me of anything, I only discovered it about half an hour ago when I tried to access my notes and got a Username / Password failed message, with no additional detail as to why or what had gone on.
One thing in your post that I am not so sure about though.
You say, and I agree, that the main risk here is going to be attackers using the ID/Emails to phish Evernote users into visiting hostile sites.
But I fail to see how 2FA would protect against what has happened (compromise of user IDs) and the subsquent risk that this information will be used to phish people into visiting malicious website.
Would the use of 2FA for end users have prevented the attackers from getting access to the user account details? Would 2FA prevent the attackers from phishing customers?
You’re right that 2FA wouldn’t have stopped hackers accessing the Evernote account details.
However, if the hackers were able to access the usernames and passwords then they wouldn’t have been able to do anything with them (no ability to log into accounts and steal notes and other data etc) if 2FA was implemented and enabled.
If a service offers you 2FA, my advice would be to turn it on. I’m amazed how many people don’t seem to use 2FA on their Gmail, for instance, even though it’s zero cost to the user.
Hi Graham,
I quite agree that if 2FA is offered at zero cost, there is no reason to not use it, I just think that in this instance it wouldn't have made any difference to what happened.
If Evernote are correct and they properly encrypted their password files then the attackers arent going to break them any time soon and wont be able to do anything with the data – without 2FA being needed.
From what has been reported here, the attackers dont have the ability to log into accounts & steal notes and, even if 2FA was implemented, it is likely a compromise of this nature would result in a service wide password reset.
There are (IMHO anyway) too many instances of companies rushing to implement xFA authentication when the underlying framework is still broken (so SQL injections still manage to extract password hashes, for example). Rather than add to the cost and complexity, companies should make sure they have taken the right baseline measures first.
Hard as it may be to believe, there are some of us who do not have cell phones. Or whose rural location precludes the 24/7 use of cell phones. So 2FA is not an option.
Right. And there are those of us who have cell phones, but only use them to make and receive actual phone calls (remember those?). For my part, I keep the phone turned off most of the time.
Nevertheless, cell phone is not the only form of two-factor authorization. There are hardware dongles, graphic image recognition, and other challenge-response methods that can do the job of providing additional security. It's up to service providers to accommodate users' limitations (like lack of cell phone access) in implementing 2FA.
I lost nearly all my Evernote notebooks, information that I use at work. Knowledge that I have been compiling over the last year. All my passwords were stored in Evernote, it was easy access for for me were ever I went. What do I do now? I don't have the memory to recall my passwords or my notebook information, I am truly devastated. Can you help me, I do not know how to find / contact Evernote support team for help.
Sincerely,
Diane Hardy
You can contact Evernote’s support team via https://evernote.com/contact/support/
Of course, they’re probably a bit busy at the moment.. so be patient.
Good luck!
Hi Diane,
What do you mean you lost your notebooks? Evernote have made this password reset reasonably painless and as far as I can see you dont need to know your original password (which is worrying for other reasons).
However, at a push you can go to https://www.evernote.com/RForgotPassword.action and enter your email address to get a password reset sent out to you.
"I don't have the memory to recall my passwords or my notebook information" this doesn't matter. Your password has been reset anyway so there is no need to remember it. Go through the password reset process which uses the e-mail address, you'll choose a new password and you'll be able to access all of your data.
In future, for storing passwords use a program/service like Lastpass or Keepass, as is often recommended on this site.
I use Keepass on my home computer. I have uploaded the program file and the password file to my Google drive.
As the password file is encrypted, provided I have a long password, it should be safe. By uploading the program file I also have a copy of the file that I can download to a local computer that I can use to decrypt it.
Lack of confidence in implementation of 2 factor security is one reason that people don’t turn it on. If I believe that a company’s policies will (sometimes, in ‘exceptional’ circumstances) allow someone with access to only one of the pieces to access the account, 2 factor is worse than 1.
And in Google's case, it can become quite complex to manage and is a persistent Pain In the A. I have been a computer consultant for 30+ years and 80% of my customers would be confused at some point.
I became agravated with it and turned it off on my own account.
Between the mobile and the desktop components, it became a mess to deal with.
ANd ever try to getr support from anyone at Google on a free product?
Or as a low volume SMB user/comsultant for an Enterprise product.
Non-existent.
Obviously not very helpful to my security health.
Security measures have to be designed to be the best possible compromise between security levels and usability by the average user.
In a situation like this, is it possible for the hackers to find out what the salt for each password is?
Yes – assuming the attackers have access to the user database – they likely have access to the hash and salt for each user (there are exceptions and other layers of obscurity but generally speaking… )
Even with a known salt for each user, it will slow the password recovery process down quite a bit , and if they are using a decent hashing algorithm, even more so, but does not make password recovery impossible.
Anyone using a weak password would still be at risk. That is likely why Evernote reset everyone's password – to ensure that nobody was affected.
It has come to light that Evernote was (still is?) storing passwords as salted raw MD5, which as you hopefully know, is woefully inadequate even with salting.
The whole thing seemed like a scam to me. I received and email addressed to “Dear Evernote User” instead of a personal name andthe link to enter the current password has the following address………
http colon slash slash links.evernote.mkt5371.com/ctt?kn=4&ms…
Notice the primary domain is “mkt5371.com” instead of evernote.com.
Be wary !
Yet another reason why I do not store things in the cloud.
Something is really messed up here. I went on website to change the password. I added a new note via website. Then, I opened the app on my desktop. It synced the new note without prompting for the new password.
Then I went to ipad. It synced and did not prompt me for the new password
THEY HAVE A HUGE ISSUE HERE!!
A simple word of advice – DO NOT USE CLOUD.
If you want to store your own data, keep it securely on your own PC/Laptop?Notebook/etc. Use encryption for any 'sensitive' stuff and perhaps use Keypass or similar for generating and storing passwords.
Plus there are other benefits. I have travelled by rail quite a bit and sometime get stuck in tunnels – so no access to the web for anything. Buit as I keep all my work data on my laptop in encrypted form it is available to me 24/7. Only risk is losing the laptop so I have a natty little gadget that connects to the security anchorage on the laptop at one end and my wrist at the other. They'd have to cut through sheathed steel chain to nick it and my data! (Had to have it made specially, any manufacturers think that a saleable security item?)
"They'd have to cut through sheathed steel chain to nick it ..!"…or your wrist, which would be a bit easier….l
I've never used Evernote before, but I had an update for it show up today "to fix a security issue" according to them. Should I be concerned?
What's sad is I had several offline updates on my ipad, and when I connected it today, it forced signed me out, had to reset password, re-login, and poof… my updates are gone forever.
This should be handled more gracefully. This was really valuable content I had.
I had this same problem… a project I've spent days on. As soon as my iPad reconnected to WiFi and Evernote tried to sync, gone.
If evernote uses your gmail as auth, meaning you never set a evernote password directly, does this mean that the password if safe? Or is the google sign-on compromised?