Evernote hacked, recommends users change passwords now
Popular note taking service Evernote has instituted a service-wide password reset for all members, revealing that there had been suspicious activity on its network that looked like a hacking attempt.
In a blog post on Saturday, it was revealed that Evernote's Operations & Security team had seen activity pointing toward a coordinated attempt at accessing secure features of the service. A subsequent investigation showed no signs that user content had been accessed, changed, or lost. There were also no signs that payment information for any customers had been accessed.
The hackers were able, though, to access Evernote user information, including usernames, email addresses associated with accounts, and encrypted passwords. The passwords stored by Evernote feature one-way encryption, meaning they are both hashed and salted.
Evernote now requires users to create a new password by signing into their accounts on evernote.com. Upon resetting their passwords, users will have to sign in using that password on any other Evernote apps they use.
In a blog post on Saturday, it was revealed that Evernote's Operations & Security team had seen activity pointing toward a coordinated attempt at accessing secure features of the service. A subsequent investigation showed no signs that user content had been accessed, changed, or lost. There were also no signs that payment information for any customers had been accessed.
The hackers were able, though, to access Evernote user information, including usernames, email addresses associated with accounts, and encrypted passwords. The passwords stored by Evernote feature one-way encryption, meaning they are both hashed and salted.
Evernote now requires users to create a new password by signing into their accounts on evernote.com. Upon resetting their passwords, users will have to sign in using that password on any other Evernote apps they use.
Comments
Quote:
Originally Posted by unother
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.
I've just started to appreciate its use though I didn't get it at first. I think I'll go back to using it.
Although I use Reading List via Safari even on my non-Apple devices, I still use Evernote as a backup.
I also downloaded Penultimate for my iPad, and use the Dolphin browser; they both integrate tightly with Evernote.
I first learned of this when a not so friendly message popped up on my Mac's Evernote app saying something like "your password has been changed" and it wouldn't sync any more. I was like "WTF? Has someone stolen my account? My password is strong, how can this be?" So I tried to login to the website. It took my password and went to a "reset your password" page. So then I was like, "Oh. Someone who had my email address asked for a reset. Still looks like a hack attempt on my account." Next move was to look for the usual email one gets when requesting a password reset. Nothing. Totally puzzled, I Googled a bit and found the news. Then, it took several attempts to actually change my password - their servers must have been slammed over this.
The point of this story is that it was handled in a very user-unfriendly manner. I can only imagine the deluge of support requests they must have gotten from the 90% of their users who couldn't work this out on their own.
That said, it was the right move to invalidate all existing passwords. The stolen hashed passwords were most certainly being subjected to brute force and dictionary attacks. I doubt they were literally "encrypted". They were most likely cryptographically hashed with salt added beforehand.
Quote:
Originally Posted by scotty321
@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users,
I didn't get one...
However, when I used the desktop app to try and access my account, I couldn't. I was forced to do a full log in, but then was unable to use my existing user/password combination. The error I received was something like "too many unsuccessful login attempts, please wait and try again later."
I initiated a password reset by using the 'forgot my password' function, and received a new confirmation email, this time from a pure evernote.com address. I reset my password directly, and everything resumed as normal.
I'm not sure the original email I received was legitimate. I still have it, so perhaps I'll send it to Evernote with an enquiry. It only added to my uncertainty at first...
If it was legit, it was very poorly handled.
Quote:
Originally Posted by unother
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.
After iCloud ate all the documents in my Notes app, I switched to Evernote. Haven't looked back once.
Don't want any app that forces me to use the cloud to sync or store my personal notes and information.
Looks like some people got an email but I did not. That was the first thing I checked.