Sophos Cloud Optix
After being hacked, Evernote, quite responsibly, has sent out emails to its users informing them of the security breach – and letting them know that it has decided to reset all passwords.
The email goes on to give some password advice – including a warning:
Never click on 'reset password' requests in emails - instead go directly to the service.
That’s a very sound piece of advice, because of the obvious threat – after millions of Evernote customers had their usernames and email addresses stolen – of phishing email attacks.
But take a closer look at the email that Evernote has sent out, with the subject line “Evernote Security Notice: Service-wide Password Reset”:
Uh-oh, in the same email that Evernote tells users not to click on ‘reset password’ requests sent via email, they have clickable links.
And what might make some recipients pause for thought is that the links don’t go directly to evernote.com, but instead link to a site called mkt5371.
Now, before you panic that someone is attempting to phish your Evernote credentials with a craftily-designed email, just relax.
This was just carelessness on Evernote’s part. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users.
The links in this case *do* end up taking you to Evernote’s website – but go silently via Silverpop’s systems first.
Presumably that’s so Evernote can track and collect data on how successful the email campaign has been.
That’s a technique commonly used in a normal marketing email communications, but looks very out of place in an email about a security breach which tries to hammer home the point to “Never click on ‘reset password’ requests in emails – instead go directly to the service”.
You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.
This is quite an interesting story. Thanks for the blog post!
A few months ago I received an email asking to reset my paypal password. But no publicly reported breach had occurred at that time. Since the email’s link to reset the password was not *.paypal.com but http://links.mkt2944.com/ctt… I thought it was phishing.
See my tweet here: https://twitter.com/gentmatt/status/282028098512371712
I’m still not sure what happend that day. But I went to the paypal website myself and reset the password there.
It seems to me that any password reset request would also be more likely to send you to a site that was https instead of http.
The technique may commonly used in a normal marketing email communications but the email communications firm asks for DNS records in the zone of the customer and ususally does not use its own domain.
This is exactly what I thought when I read that email. I didn't even click on the link because of the warning. Come on, folks, think it through.
I got my email today, and I naturally would have clicked on the link until I read that sentence about never clicking on the links in the email. It does have a bit of bizarre sense about it, but I am still not clicking on the link. Stuff their data collection.
After read this I moved all my stuff to dropbox and delete my Evernote account.
Right, because Dropbox has never been hacked… oh, wait. CNET: Dropbox Hacked
To be fair, DropBox can now prove that they learned their lesson. http://www.h-online.com/security/news/item/Worth-…
Hopefully Evernote has learned the same lessons. It's good to see Evernote at least knows the proper way to store passwords. That encourages me to think they will be a company that learns that fire is hot, hackers break everything, and be more cautious in the future.
The good outcome to an incident like this is a company like DropBox who clearly learns their lesson. A bad outcome is one where they don't learn and something like this happens again.
they are only using MD5 or SHA-1 (64bit) for the hashes so they may had just saved them in plain text (with the password cracking GPU rigs out there)
at least they used random salts so they cant use rainbow tables meaning that two users with the password called password1 have diferant hashes
What still bothers me is the fact that so far I've only learned about the hack through Sophos. I have not received an email from Evernote. I did go to the site and was prompted to reset my password, but there was nothing indicating why. This leads me to conclude that I should not trust Evernote with my data.
I did the same thing when I couldn’t sign into my Evernote desktop app. I checked my email inbox and spam/junk folders, and did not find any notification or warning email issued from Evernote – except I did have the fake Phishing email. Luckily I never click a reset password link unless I go to the site first and specifically request it.
Kind of funny…I received this mail from Evernote and noticed the "evernote.mkt5371.com" links. I thought it looked suspicious, so I searched for the domain and found this article. Glad I wasn't the only one weirded out. Pretty stupid, Evernote….
Maybe they're trying to trick them on purpose, to test if they're listening?
A very interesting discussion of this issue is on Evernotes Forum now; http://discussion.evernote.com/topic/35615-phishi…
This is quite entertaining – and Evernote was doing so well in handling it's breach until this point…
In this case it looks like Evernote (like many other companies) has simply outhoused corporate communications to a third party, i.e., they no longer speak for themselves. One might wonder if the costs Evernote saved are worth the irritation and confusion they caused to their customers.
First of all, never ever put your private data unprotected on any external service you don’t have control over yourself.
Second: Any data you send unprotected out of your own network, should be considered as “published on Internet”.
Third: It is you who are responsible for protecting your data. Nobody else.
I've already re-set it before I got the e-mail from Evernote, thanks for this blog.
And my new password is… 😀
there max password limit is 64 as well (no 255 ANSI or brackets, but you can use ?"£)