This article was published on March 2, 2013

Evernote resets all passwords after intrusion: User data accessed, but payment details untouched


Evernote resets all passwords after intrusion: User data accessed, but payment details untouched

Online note-taking site Evernote is the latest high-profile Web firm to get hacked after the company reset all of its near-50 million users’ passwords following the discovery, and subsequent blockage, of suspicious activity on its network. Users will be promoted to enter a new password when they log in to the service.

There’s good and bad news here. Firstly, the bad, Evernote says that some user data was accessed —  including usernames, email addresses and encrypted passwords — but it says that all passwords are hashed and salted. That’s a big deal and it makes them less easy to crack, and therefore less likely to be used to hack into other services.

On the positive side, Evernote says that it has “no evidence” that payment details were collected nor, it says, was any user data “accessed, changed, or lost” despite the intrusion.

All users have been emailed and Evernote says it is updating its apps “over the next several hours”, as part of its security effort.

The company is already winning praise for the way that it has approached this issue, being fully transparent with its details and wholly careful by enacting a full password reset. That’s refreshing in an age when many companies are less clear when dealing with issues of cyber security.

“As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content,” the note reads.

AppleMicrosoftFacebook, Zendesk and Twitter have all been hit by hacks of late, although there is no suggestion at this point that the events at Evernote — or any of the others — are directly connected.

Here’s the full post — hat tip to Marco Arment for publishing this cache:

The following blog post is also being sent to all Evernote users as an email communication.

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:

  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on ‘reset password’ requests in emails — instead go directly to the service
  • Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.

The Evernote team

Headline image via othree

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with