Popular note taking service Evernote has instituted a service-wide password reset for all members, revealing that there had been suspicious activity on its network that looked like a hacking attempt.
Evernote recommends users log into Evernote.com to reset their passwords.
In a blog post on Saturday, it was revealed that Evernote's Operations & Security team had seen activity pointing toward a coordinated attempt at accessing secure features of the service. A subsequent investigation showed no signs that user content had been accessed, changed, or lost. There were also no signs that payment information for any customers had been accessed.
The hackers were able, though, to access Evernote user information, including usernames, email addresses associated with accounts, and encrypted passwords. The passwords stored by Evernote feature one-way encryption, meaning they are both hashed and salted.
Evernote now requires users to create a new password by signing into their accounts on evernote.com. Upon resetting their passwords, users will have to sign in using that password on any other Evernote apps they use.
10 Comments
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.
All this convinced me to do was deactivate my dormant account. I might be fickle but I don't see a purpose to this company now.
I've just started to appreciate its use though I didn't get it at first. I think I'll go back to using it.
Although I use Reading List via Safari even on my non-Apple devices, I still use Evernote as a backup.
I also downloaded Penultimate for my iPad, and use the Dolphin browser; they both integrate tightly with Evernote.
Headline is wrong. They don't recommend changing passwords, they are forcing all users to change their passwords. I first learned of this when a not so friendly message popped up on my Mac's Evernote app saying something like "your password has been changed" and it wouldn't sync any more. I was like "WTF? Has someone stolen my account? My password is strong, how can this be?" So I tried to login to the website. It took my password and went to a "reset your password" page. So then I was like, "Oh. Someone who had my email address asked for a reset. Still looks like a hack attempt on my account." Next move was to look for the usual email one gets when requesting a password reset. Nothing. Totally puzzled, I Googled a bit and found the news. Then, it took several attempts to actually change my password - their servers must have been slammed over this. The point of this story is that it was handled in a very user-unfriendly manner. I can only imagine the deluge of support requests they must have gotten from the 90% of their users who couldn't work this out on their own. That said, it was the right move to invalidate all existing passwords. The stolen hashed passwords were most certainly being subjected to brute force and dictionary attacks. I doubt they were literally "encrypted". They were most likely cryptographically hashed with salt added beforehand.
@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users, alerting them to the problem and that an email reset would be necessary upon next login. And this happened almost immediately... they didn't wait hours to send out this email.
@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users,
I didn't get one...