Never miss an update Follow AppleInsider
Sunday, March 03, 2013, 04:58 pm
Evernote hacked, recommends users change passwords now
Popular note taking service Evernote has instituted a service-wide password reset for all members, revealing that there had been suspicious activity on its network that looked like a hacking attempt.
In a blog post on Saturday, it was revealed that Evernote's Operations & Security team had seen activity pointing toward a coordinated attempt at accessing secure features of the service. A subsequent investigation showed no signs that user content had been accessed, changed, or lost. There were also no signs that payment information for any customers had been accessed.
The hackers were able, though, to access Evernote user information, including usernames, email addresses associated with accounts, and encrypted passwords. The passwords stored by Evernote feature one-way encryption, meaning they are both hashed and salted.
Evernote now requires users to create a new password by signing into their accounts on evernote.com. Upon resetting their passwords, users will have to sign in using that password on any other Evernote apps they use.
On Topic: General
- Google's Motorola issues second appeal of dismissed ITC case against Apple
- South Australia's first Apple Store draws line hours ahead of opening [update: photos and video]
- Rains once more cause damage at Apple's Fifth Avenue NY store
- Steve Jobs's family has been giving money away anonymously for more than 2 decades
- Judge says evidence will likely show Apple culpable in e-book price fixing case
Previous Comments View All
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.
I've just started to appreciate its use though I didn't get it at first. I think I'll go back to using it.
Although I use Reading List via Safari even on my non-Apple devices, I still use Evernote as a backup.
I also downloaded Penultimate for my iPad, and use the Dolphin browser; they both integrate tightly with Evernote.
Headline is wrong. They don't recommend changing passwords, they are forcing all users to change their passwords.
I first learned of this when a not so friendly message popped up on my Mac's Evernote app saying something like "your password has been changed" and it wouldn't sync any more. I was like "WTF? Has someone stolen my account? My password is strong, how can this be?" So I tried to login to the website. It took my password and went to a "reset your password" page. So then I was like, "Oh. Someone who had my email address asked for a reset. Still looks like a hack attempt on my account." Next move was to look for the usual email one gets when requesting a password reset. Nothing. Totally puzzled, I Googled a bit and found the news. Then, it took several attempts to actually change my password - their servers must have been slammed over this.
The point of this story is that it was handled in a very user-unfriendly manner. I can only imagine the deluge of support requests they must have gotten from the 90% of their users who couldn't work this out on their own.
That said, it was the right move to invalidate all existing passwords. The stolen hashed passwords were most certainly being subjected to brute force and dictionary attacks. I doubt they were literally "encrypted". They were most likely cryptographically hashed with salt added beforehand.
@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users, alerting them to the problem and that an email reset would be necessary upon next login. And this happened almost immediately... they didn't wait hours to send out this email.
@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users,
I didn't get one...
The really big snafu was that after updating the Evernote app from an iDevice and changing passwords, sign-in failed. The password change was effectively recorded though because the website would recognize it and allow sign-in, just the app gave an error notice. Deleting and re-installing the app fixed it, but some users reported data loss. I didn't lose any of mine, but then I had an earlier version of Evernote in my old iPad so maybe it just synced from there, dunno.
I received an email notification, but I found it highly suspect. All the "log in and change your password" links were not linked to pure evernote.com URLs. The inline text links simply read "evernote.com", but actually linked to a domain similar to this: "links.evernote.mkt1388.com". I assumed it was a phishing scam, and didn't click through.
However, when I used the desktop app to try and access my account, I couldn't. I was forced to do a full log in, but then was unable to use my existing user/password combination. The error I received was something like "too many unsuccessful login attempts, please wait and try again later."
I initiated a password reset by using the 'forgot my password' function, and received a new confirmation email, this time from a pure evernote.com address. I reset my password directly, and everything resumed as normal.
I'm not sure the original email I received was legitimate. I still have it, so perhaps I'll send it to Evernote with an enquiry. It only added to my uncertainty at first...
If it was legit, it was very poorly handled.
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.
After iCloud ate all the documents in my Notes app, I switched to Evernote. Haven't looked back once.
Don't want any app that forces me to use the cloud to sync or store my personal notes and information.
@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users, alerting them to the problem and that an email reset would be necessary upon next login. And this happened almost immediately... they didn't wait hours to send out this email.
Looks like some people got an email but I did not. That was the first thing I checked.
Latest Apple Headlines
-
iPad shipments could see first ever year-on-year decline in Q2, analyst says
~17 hours ago -
Google's Motorola issues second appeal of dismissed ITC case against Apple
~19 hours ago -
iPhone urinalysis app draws scrutiny from FDA
~20 hours ago -
South Australia's first Apple Store draws line hours ahead of opening [update: photos and video]
~20 hours ago -
Best Buy to offer $50 off all iPhone 5 & 4S models starting Sunday
~23 hours ago - more...
Want to write for AppleInsider? Submit your application now!
Lowest Prices Anywhere!
| Model | Price | You Save |
|---|---|---|
| Core i5 MacBook Pros w/ Retina | ||
| 13" 2.5GHz/8GB/128GB | $1,406.48 | $292.52 |
| 13" 2.5GHz/8GB/256GB | $1,479.99 | $519.01 |
| 13" 2.5GHz/8GB/512GB | $1,699.99 | $799.01 |
| Core i7 MacBook Pros w/ Retina | ||
| 13" 2.9GHz/8GB/256GB | $1,599.99 | $599.01 |
| 13" 2.9GHz/8GB/512GB | $1,799.99 | $899.01 |
| 15" 2.3GHz/8GB/256GB | $1,899.99 | $299.01 |
| 15" 2.6GHz/8GB/512GB | $2,299.99 | $568.01 |
| 15" 2.7GHz/16GB/768GB | $2,699.99 | $499.01 |
| Model | White | Black | |
|---|---|---|---|
| iPad mini (WiFi only) | |||
| 16GB WiFi |  |
$329.99 | $329.99 |
| 32GB WiFi | |
$429.99 | $429.99 |
| 64GB WiFi | |
$529.99 | $529.99 |
| iPad mini (WiFi + 4G) | |||
 |
 |
 |
|
| 16GB 4G White | $459.99 | $459.99 | $459.99 |
| 32GB 4G White | $559.99 | $559.99 | $559.99 |
| 64GB 4G White | $659.99 | $659.99 | $659.99 |
| 16GB 4G Black | $459.99 | $459.99 | $459.99 |
| 32GB 4G Black | $559.99 | $559.99 | $559.99 |
| 64GB 4G Black | $659.99 | $659.99 | $659.99 |
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.