evernoteNote-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked when employees visited iPhoneDevSDK, an online forum for software developers.

Top Rated Comments

jennyp Avatar
149 months ago
I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net

That isn't strictly true. Your password could be cracked in the first 5 minutes of a run. It's highly unlikely, true, but the proper way to state matters would be to say that it would take that length of time to try all combinations of the characters you use.

</pedantry>
Score: 2 Votes (Like | Disagree)
canyonblue737 Avatar
149 months ago
I never got an email either but I think I know why... evernote sent the email from a NON-evernote domain that was only registered a few months ago and who's ID looks like it doesn't belong to evernote. It looks EXACTLY like a classic fishing scheme... except evernote has admit it really was from them. Many email services grab these messages because they look so obviously fake. They are now saying on the forums it was due to this happening in the midst of a big email server switch for them and this was the only way they could send out 50 million emails on short notice. To me it says that this is a big company still playing amateur hour when it comes to user security.

1. no 2 factor authentication.
2. SSL only when sending data to their servers.
3. no encryption of ANY KIND of ANY of your notes or notebooks on their servers. if someone gets your primary password, everything is exposed.
4. poor handling of the large data leak... email response, style and timing was all beyond poor. all passwords reset prior to ANY email, twitter, homepage or any other notification sent from evernote. the error alert saturday morning on evernote.com and in apps simply said you were entering the wrong password leading thousands to think they had been hacked with nothing at all explaining what had really happened.

this is a company that proudly has articles on their website saying "how to use evernote at tax time" but does nothing at all to protect the critical nature of user information on their servers. no one does this as poorly in the crowd they want to play in: apple, twitter, google, dropbox etc. it is downright irresponsible for them to imply that critical user data is safe and they haven't even hinted they want to improve it ('cept for 2 factor which they have been implying for a year and never arrived even with the big 5.0 update.)

i hope evernote stops what they are doing, realizes they are becoming a MAJOR player in the cloud space and with 60 million accounts they have to do FAR better. evernote has been iterating like mad on their service which has brought them great success but they need to pour their resources into security they desperately need starting with 2 factor authentication and the ability to encrypt notebooks. only then will evernote be a modern, secure cloud service to store your life's most valuable information.
Score: 1 Votes (Like | Disagree)
japanime Avatar
149 months ago
I use Evernote but didn't seem to receive the email warning of the password breach. It certainly wasn't in my inbox.

So, I just searched my Mail.app and discovered that Apple's junk-mail filter had put the Evernote email directly into the trash. :confused:
Score: 1 Votes (Like | Disagree)
turtle777 Avatar
149 months ago
For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.

In case of 1PW, they would need all the time in the world.

As long as you use a long and safe Master Password, encrypted data in the cloud is not an issue.

They will go for a dictionary attack before they try to decrypt your contents.

-t
Score: 1 Votes (Like | Disagree)
maxosx Avatar
149 months ago
This event simply emphasizes the value of taking one's password & security plan seriously.

By keeping it dynamic with regular changing of passwords & executing procedures as suggested by those above, one is relatively safe.
Score: 1 Votes (Like | Disagree)
furi0usbee Avatar
149 months ago
One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.

I have several websites/domains, but I would never want to take the time to start using a separate email now for each account. Even though I could just do mymail1@, mymail2@, and just forward them to a master account, I don't feel the need to do that just now. It's better security that's for sure, but I don't know if I need that now. But I will put that on my list of things to consider.

What I do thought, is lie when presented with secret questions for my accounts. So if it says what state was I born, I say any state other than my own. When it says first car, I say some nice Italian number, etc.

Bryan
Score: 1 Votes (Like | Disagree)

Popular Stories

iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Just Two Months Away: Everything We Know

Monday July 15, 2024 4:44 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
Apple Watch Series 9

2024 Apple Watch Lineup: Key Changes We're Expecting

Tuesday July 16, 2024 7:59 am PDT by
Apple is seemingly planning a rework of the Apple Watch lineup for 2024, according to a range of reports from over the past year. Here's everything we know so far. Apple is expected to continue to offer three different Apple Watch models in five casing sizes, but the various display sizes will allegedly grow by up to 12% and the casings will get taller. Based on all of the latest rumors,...
iPhone 16 Pro Left Side Feature

iPhone 16 Pro Again Rumored to Come in New 'Rose' Color

Tuesday July 16, 2024 3:53 am PDT by
Apple's upcoming iPhone 16 Pro and iPhone 16 Pro Max will be available in a new "Rose" color, claims a rumor out of China, corroborating previous claims. Chinese Weibo-based leaker OvO Baby Sauce OvO, a relatively new source of supply chain leaks, said on Tuesday that the new color code for the iPhone 16 Pro models is simply "Rose," not the previous "Rose Gold" color that Apple first offered ...
New MacBook Pros Launching Tomorrow With These 4 New Features 2

M5 MacBook Models to Use New Compact Camera Module in 2025

Wednesday July 17, 2024 2:58 am PDT by
Apple in 2025 will take on a new compact camera module (CCM) supplier for future MacBook models powered by its next-generation M5 chip, according to Apple analyst Ming-Chi Kuo. Writing in his latest investor note on unny-opticals-2025-business-momentum-to-benefit-509819818c2a">Medium, Kuo said Apple will turn to Sunny Optical for the CCM in its M5 MacBooks. The Chinese optical lens company...
tinypod apple watch

TinyPod Turns Your Apple Watch Into an iPod

Wednesday July 17, 2024 3:18 pm PDT by
If you have an old Apple Watch and you're not sure what to do with it, a new product called TinyPod might be the answer. Priced at $79, the TinyPod is a silicone case with a built-in scroll wheel that houses the Apple Watch chassis. When an Apple Watch is placed inside the TinyPod, the click wheel on the case is able to be used to scroll through the Apple Watch interface. The feature works...
macbook pro january

Best Buy's Black Friday in July Sale Takes Up to $700 Off M3 MacBook Pro for Members

Monday July 15, 2024 11:05 am PDT by
Best Buy's "Black Friday in July" sale is in full swing today, and in addition to a few iPad Air discounts we shared earlier, there are also some steep markdowns on the M3 MacBook Pro. You will need a My Best Buy Plus or Total membership in order to get some of these deals. Note: MacRumors is an affiliate partner with Best Buy. When you click a link and make a purchase, we may receive a small...