Saturday, March 02, 2013

Evernote opts to reset all user passwords after hacker intrusion

It's bad when a useful service, such as Twitter, is hacked, with the result being that hundreds of thousands of users have their passwords stolen -- even in encrypted form. On Saturday, Evernote told users something even worse: every single one of them may have had their user information accessed.

According to the company, usernames, email addresses associated with Evernote accounts and encrypted passwords were accessed. Because of this, Evernote is requiring everyone to change their password when they next log in. Evernote's note-taking application -- mobile or on the Web -- has about 50 million users.

Since the passwords were encrypted, users are probably safe. However, it is another example of why you should never use the same password on multiple accounts. If, for example, you used an easy password on your Gmail account (let's say the oft-used "12345"), a hacker who managed to crack that might be able to get into your account, if you used the same password there.

The company added, though, that they found no evidence that any of the content users store in Evernote was accessed, modified, deleted or otherwise lost. They also found no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed, but -- our statement, not theirs -- it would probably be a good idea for users to monitor any associated payment methods.

Evernote said that it first noticed signs of hacking on Feb. 28. It wasn't until Saturday that the information became public, however.

In a statement sent to CNET, an Evernote representative said the breach of the company's systems "follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks." They are, of course, speaking of Twitter, Facebook, and more. The statement said:
Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack. They are continuing to investigate the details. We believe this activity follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks.

At this time we believe we have blocked any unauthorized access, however security is Evernote's first priority. This is why, in an abundance of caution, we are requiring all users to reset their Evernote account passwords before their next Evernote account log-in. We are actively communicating to our users about this attack through our blog, direct e-mails, social media, and support. This simple step of users creating strong, new passwords will help ensure that user accounts remain secure.

As you point out, attacks like this are becoming more commonplace for all Internet-related companies and services. Evernote's ops and security team ensures we are using the latest and strongest security protocols. In addition, the team continuously and aggressively monitors for unusual activity patterns. This allows us, as was the case in this instance, to catch new and novel attack types as soon after they begin as possible.
Hacks like these have become more common of late. Despite encryption and the like, it should be a concern to users. One can only imagine the havoc that could be wrought if someone broke into a company's Google Apps account, and sensitive information was stored there, much less breaking into a personal account of some sort.

No comments: