Evernote hacked – almost 50 million passwords reset after security breach

EvernoteEvernote, the online note-taking service, has posted an advisory informing its near 50 million users that it has suffered a serious security breach that saw hackers steal usernames, associated email addresses and encrypted passwords.

It’s not clear how the hackers managed to gain access to Evernote’s systems, or how long the hackers had access to Evernote’s account information.

However, in an interview with TechCrunch, Evernote said that they had first noticed suspicious activity on February 28th.

The good news is that no payment details were stolen, and according to the company the hackers were not able to access notes that users had stored on the Evernote service.

Furthermore, it sounds as though the passwords were encrypted, using hashes and salting to prevent login details falling into the wrong hands. (It would be reassuring – of course – to have more details shared by Evernote of how the passwords were hashed and salted).

Evernote advisory

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

What’s not good news is that the hackers now have access to the usernames and email addresses of Evernote customers. It is easy to imagine how this information could be abused – for instance, the hackers could send out spam emails to those users claiming to come from Evernote, and trick them into visiting a malicious website.

And, of course, it’s another cautionary tale about the risks which can exist with trusting the cloud to look after your personal information. Evernote sounds to me like it’s another online service that would benefit from providing its users with additional account security – such as two factor authentication.

Evernote advises users to choose a strong password, and to be suspicious of reset password links sent to users via email. Furthermore, everyone should ensure that they are not using the same password on multiple sites.

Evernote appears to have acted reasonably rapidly in response to this security incident, and it will be interesting to see if they share any more information about how the hack might have occurred in the coming days.

Further reading: Evernote shoots itself in foot over “never click on ‘reset password’ requests” advice