/article-new/2013/03/evernote.png?lossy)
Note-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.
While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.
Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked when employees visited iPhoneDevSDK, an online forum for software developers.
Top Rated Comments
(View all)I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.
http://howsecureismypassword.net
That isn't strictly true. Your password could be cracked in the first 5 minutes of a run. It's highly unlikely, true, but the proper way to state matters would be to say that it would take that length of time to try all combinations of the characters you use.
</pedantry>
1. no 2 factor authentication.
2. SSL only when sending data to their servers.
3. no encryption of ANY KIND of ANY of your notes or notebooks on their servers. if someone gets your primary password, everything is exposed.
4. poor handling of the large data leak... email response, style and timing was all beyond poor. all passwords reset prior to ANY email, twitter, homepage or any other notification sent from evernote. the error alert saturday morning on evernote.com and in apps simply said you were entering the wrong password leading thousands to think they had been hacked with nothing at all explaining what had really happened.
this is a company that proudly has articles on their website saying "how to use evernote at tax time" but does nothing at all to protect the critical nature of user information on their servers. no one does this as poorly in the crowd they want to play in: apple, twitter, google, dropbox etc. it is downright irresponsible for them to imply that critical user data is safe and they haven't even hinted they want to improve it ('cept for 2 factor which they have been implying for a year and never arrived even with the big 5.0 update.)
i hope evernote stops what they are doing, realizes they are becoming a MAJOR player in the cloud space and with 60 million accounts they have to do FAR better. evernote has been iterating like mad on their service which has brought them great success but they need to pour their resources into security they desperately need starting with 2 factor authentication and the ability to encrypt notebooks. only then will evernote be a modern, secure cloud service to store your life's most valuable information.
So, I just searched my Mail.app and discovered that Apple's junk-mail filter had put the Evernote email directly into the trash. :confused:
For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.
In case of 1PW, they would need all the time in the world.
As long as you use a long and safe Master Password, encrypted data in the cloud is not an issue.
They will go for a dictionary attack before they try to decrypt your contents.
-t
By keeping it dynamic with regular changing of passwords & executing procedures as suggested by those above, one is relatively safe.
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...
1Password is really nice.
I have several websites/domains, but I would never want to take the time to start using a separate email now for each account. Even though I could just do mymail1@, mymail2@, and just forward them to a master account, I don't feel the need to do that just now. It's better security that's for sure, but I don't know if I need that now. But I will put that on my list of things to consider.
What I do thought, is lie when presented with secret questions for my accounts. So if it says what state was I born, I say any state other than my own. When it says first car, I say some nice Italian number, etc.
Bryan