or Connect
AppleInsider › Forums › General › General Discussion › Evernote hacked, recommends users change passwords now
New Posts  All Forums:Forum Nav:

Evernote hacked, recommends users change passwords now

post #1 of 11
Thread Starter 
Popular note taking service Evernote has instituted a service-wide password reset for all members, revealing that there had been suspicious activity on its network that looked like a hacking attempt.

evernote
Evernote recommends users log into Evernote.com to reset their passwords.


In a blog post on Saturday, it was revealed that Evernote's Operations & Security team had seen activity pointing toward a coordinated attempt at accessing secure features of the service. A subsequent investigation showed no signs that user content had been accessed, changed, or lost. There were also no signs that payment information for any customers had been accessed.

The hackers were able, though, to access Evernote user information, including usernames, email addresses associated with accounts, and encrypted passwords. The passwords stored by Evernote feature one-way encryption, meaning they are both hashed and salted.

Evernote now requires users to create a new password by signing into their accounts on evernote.com. Upon resetting their passwords, users will have to sign in using that password on any other Evernote apps they use.
post #2 of 11
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.
post #3 of 11
Quote:
Originally Posted by unother View Post

All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.

 

I've just started to appreciate its use though I didn't get it at first. I think I'll go back to using it.

 

Although I use Reading List via Safari even on my non-Apple devices, I still use Evernote as a backup.

 

I also downloaded Penultimate for my iPad, and use the Dolphin browser; they both integrate tightly with Evernote.

post #4 of 11
Headline is wrong. They don't recommend changing passwords, they are forcing all users to change their passwords.

I first learned of this when a not so friendly message popped up on my Mac's Evernote app saying something like "your password has been changed" and it wouldn't sync any more. I was like "WTF? Has someone stolen my account? My password is strong, how can this be?" So I tried to login to the website. It took my password and went to a "reset your password" page. So then I was like, "Oh. Someone who had my email address asked for a reset. Still looks like a hack attempt on my account." Next move was to look for the usual email one gets when requesting a password reset. Nothing. Totally puzzled, I Googled a bit and found the news. Then, it took several attempts to actually change my password - their servers must have been slammed over this.

The point of this story is that it was handled in a very user-unfriendly manner. I can only imagine the deluge of support requests they must have gotten from the 90% of their users who couldn't work this out on their own.

That said, it was the right move to invalidate all existing passwords. The stolen hashed passwords were most certainly being subjected to brute force and dictionary attacks. I doubt they were literally "encrypted". They were most likely cryptographically hashed with salt added beforehand.
post #5 of 11
@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users, alerting them to the problem and that an email reset would be necessary upon next login. And this happened almost immediately... they didn't wait hours to send out this email.
post #6 of 11
Quote:
Originally Posted by scotty321 View Post

@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users,

I didn't get one...

post #7 of 11
The really big snafu was that after updating the Evernote app from an iDevice and changing passwords, sign-in failed. The password change was effectively recorded though because the website would recognize it and allow sign-in, just the app gave an error notice. Deleting and re-installing the app fixed it, but some users reported data loss. I didn't lose any of mine, but then I had an earlier version of Evernote in my old iPad so maybe it just synced from there, dunno.
Hey, this Kool-Aid is delicious, what do you put in it?!
Reply
Hey, this Kool-Aid is delicious, what do you put in it?!
Reply
post #8 of 11
I received an email notification, but I found it highly suspect. All the "log in and change your password" links were not linked to pure evernote.com URLs. The inline text links simply read "evernote.com", but actually linked to a domain similar to this: "links.evernote.mkt1388.com". I assumed it was a phishing scam, and didn't click through.

However, when I used the desktop app to try and access my account, I couldn't. I was forced to do a full log in, but then was unable to use my existing user/password combination. The error I received was something like "too many unsuccessful login attempts, please wait and try again later."

I initiated a password reset by using the 'forgot my password' function, and received a new confirmation email, this time from a pure evernote.com address. I reset my password directly, and everything resumed as normal.

I'm not sure the original email I received was legitimate. I still have it, so perhaps I'll send it to Evernote with an enquiry. It only added to my uncertainty at first...

If it was legit, it was very poorly handled.
Edited by tribalogical - 3/4/13 at 7:34am
post #9 of 11
Quote:
Originally Posted by unother View Post

All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.

After iCloud ate all the documents in my Notes app, I switched to Evernote.  Haven't looked back once.

post #10 of 11

Don't want any app that forces me to use the cloud to sync or store my personal notes and information. 

post #11 of 11
Quote:
Originally Posted by scotty321 View Post

@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users, alerting them to the problem and that an email reset would be necessary upon next login. And this happened almost immediately... they didn't wait hours to send out this email.

Looks like some people got an email but I did not. That was the first thing I checked.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Evernote hacked, recommends users change passwords now