Evernote, a very popular online note taking and archiving service announced in a blog post on March 2, 2013, that its operations and security team had become aware of suspicious activity on its systems network. In the blog post, Evernote did not elaborate as to how the hackers gained illegal access to their network or for how long the cyber criminals had access to the network. In fact, the Security Notice was very lacking in specifics or details about the breach, leaving many of the company’s users uneasy over the weekend.
According to Dave Engberg, and the Evernote Team’s Security Notice blog post, “There was a coordinated attempt to access secure areas of the Evernote Service.” Upon discovering this suspicious activity Evernote’s Operations and Security Team located and blocked these suspicious activities. In what would appear as an abundance of caution to protect its user’s sensitive data, Evernote took a further protective step and forced a system wide password reset and apparently began an “investigation” although the company does not specify on who is conducting it.
Here is what we do know from the Evernote blog post:
- That suspicious activity was first detected on February 28, 2013.
- That Evernote’s network systems were breached by an unauthorized party or parties.
- That the unauthorized party/parties were able to obtain Evernote user information such as; user name, email address, and encrypted password.
- That there is no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
- That Evernote’s passwords are stored with one-way encryption (hashed and salted) making them more difficult for hackers to crack.
- That ALL Evernote users are required to reset their password.
What is peculiar about Evernote’s handling of notifying it’s users of the breach and may have even caused some confusion for users is the fact that Evernote chose to notify its users of the security breach by emailing the very Security Notice blog post to its users. In the blog post Evernote warns its users to NEVER click on reset password requests in emails and yet that is exactly what the Evernote Security Notice email asks its users to do. This may not have been the best method of notifying its customers of the breach and may even have caused more confusion, users not knowing if the security notice was real or a phishing attempt, this may be why the company had to force the password reset system wide.
Unfortunately Evernote gives very little information about the breach so in our effort to give you all the information possible we are posting the Evernote Security Notice below:
Security Notice: Service-wide Password Reset
Posted by Dave Engberg on 02 Mar 2013
The following blog post was sent to all Evernote users as an email communication.
Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.
After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.
As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.
There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:
- Avoid using simple passwords based on dictionary words
- Never use the same password on multiple sites or services
- Never click on ‘reset password’ requests in emails — instead go directly to the service
Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.
The Evernote team
Additional Resources About This Breach: