Evernote Issues Password Reset After Security Breach

by

evernoteNote-taking service Evernote today released a statement announcing that it had discovered suspicious activity on the Evernote network, which prompted it to issue a service-wide password reset.

While Evernote says that no content or payment information was accessed, hackers did acquire usernames, email addresses, and encrypted passwords.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

All Evernote users will be prompted to choose a new password when logging in to the website. The company is is also releasing updates to several of its apps today to facilitate the password change.

Evernote's security breach comes a bit over a week after Apple, Twitter, and Facebook were hacked when employees visited iPhoneDevSDK, an online forum for software developers.

Top Rated Comments

(View all)
Avatar
95 months ago

I have a 20 character master password with 1Passsword. If I go to the site below and enter a password mask (I would never enter my actual password in anything other than 1Password), it would take sextillion years to crack my password.

http://howsecureismypassword.net


That isn't strictly true. Your password could be cracked in the first 5 minutes of a run. It's highly unlikely, true, but the proper way to state matters would be to say that it would take that length of time to try all combinations of the characters you use.

</pedantry>
Score: 2 Votes (Like | Disagree)
Avatar
94 months ago
I never got an email either but I think I know why... evernote sent the email from a NON-evernote domain that was only registered a few months ago and who's ID looks like it doesn't belong to evernote. It looks EXACTLY like a classic fishing scheme... except evernote has admit it really was from them. Many email services grab these messages because they look so obviously fake. They are now saying on the forums it was due to this happening in the midst of a big email server switch for them and this was the only way they could send out 50 million emails on short notice. To me it says that this is a big company still playing amateur hour when it comes to user security.

1. no 2 factor authentication.
2. SSL only when sending data to their servers.
3. no encryption of ANY KIND of ANY of your notes or notebooks on their servers. if someone gets your primary password, everything is exposed.
4. poor handling of the large data leak... email response, style and timing was all beyond poor. all passwords reset prior to ANY email, twitter, homepage or any other notification sent from evernote. the error alert saturday morning on evernote.com and in apps simply said you were entering the wrong password leading thousands to think they had been hacked with nothing at all explaining what had really happened.

this is a company that proudly has articles on their website saying "how to use evernote at tax time" but does nothing at all to protect the critical nature of user information on their servers. no one does this as poorly in the crowd they want to play in: apple, twitter, google, dropbox etc. it is downright irresponsible for them to imply that critical user data is safe and they haven't even hinted they want to improve it ('cept for 2 factor which they have been implying for a year and never arrived even with the big 5.0 update.)

i hope evernote stops what they are doing, realizes they are becoming a MAJOR player in the cloud space and with 60 million accounts they have to do FAR better. evernote has been iterating like mad on their service which has brought them great success but they need to pour their resources into security they desperately need starting with 2 factor authentication and the ability to encrypt notebooks. only then will evernote be a modern, secure cloud service to store your life's most valuable information.
Score: 1 Votes (Like | Disagree)
Avatar
94 months ago
I use Evernote but didn't seem to receive the email warning of the password breach. It certainly wasn't in my inbox.

So, I just searched my Mail.app and discovered that Apple's junk-mail filter had put the Evernote email directly into the trash. :confused:
Score: 1 Votes (Like | Disagree)
Avatar
94 months ago

For instance, 1password or wallet use icloud or dropbox to sync between devices and for backup. Should someone get my sync file, they have all the time in the world to try to get passed the encryption/masterpassword and access to all my passwords.


In case of 1PW, they would need all the time in the world.

As long as you use a long and safe Master Password, encrypted data in the cloud is not an issue.

They will go for a dictionary attack before they try to decrypt your contents.

-t
Score: 1 Votes (Like | Disagree)
Avatar
95 months ago
This event simply emphasizes the value of taking one's password & security plan seriously.

By keeping it dynamic with regular changing of passwords & executing procedures as suggested by those above, one is relatively safe.
Score: 1 Votes (Like | Disagree)
Avatar
95 months ago

One way is to have your own domain and a hosting service with unlimited number of convenient mail aliases. Also makes it easy to shutdown an address if it starts to get spam...

1Password is really nice.


I have several websites/domains, but I would never want to take the time to start using a separate email now for each account. Even though I could just do mymail1@, mymail2@, and just forward them to a master account, I don't feel the need to do that just now. It's better security that's for sure, but I don't know if I need that now. But I will put that on my list of things to consider.

What I do thought, is lie when presented with secret questions for my accounts. So if it says what state was I born, I say any state other than my own. When it says first car, I say some nice Italian number, etc.

Bryan
Score: 1 Votes (Like | Disagree)

Top Stories

Leaker: Apple to Stick With Lightning Over USB-C for 'iPhone 12' Before Going Port-Less Next Year

Tuesday May 26, 2020 2:31 am PDT by
Apple will use a Lightning port instead of USB-C in the upcoming "iPhone 12," but it will be the last major series of Apple's flagship phones to do so, with models set to combine wireless charging and a port-less Smart Connector system for data transfer and syncing in the iPhone "13 series" next year. The above claim comes from occasional Apple leaker and Twitter user "Fudge" (@choco_bit),...

Apple Releases macOS Catalina 10.15.5 With Battery Health Management Features, Fix for Finder Freezing

Tuesday May 26, 2020 1:59 pm PDT by
Apple today released macOS Catalina 10.15.5, the fifth update to the macOS Catalina operating system that was released in October 2019. macOS Catalina 10.15.5 comes two months after the launch of macOS Catalina 10.15.4, which introduced Screen Time Communication Limits. macOS Catalina 10.15.5 is a free update that can be downloaded from the Mac App Store using the Update feature in the...

Apple Reissuing Numerous iOS App Updates, Potentially Related to Recent 'This App is No Longer Shared' Bug

Sunday May 24, 2020 9:13 pm PDT by
Over the past few hours, a number of MacRumors readers have reported seeing dozens or even hundreds of pending app updates showing in the App Store on their iOS devices, including for many apps that were already recently updated by the users. In many cases, the dates listed on these new app updates extend back as far as ten days. Apple has not shared any information as to why updates for...

16-Inch MacBook Pro, iPad Pro, and iMac Pro With Mini-LED Displays Again Rumored to Launch in 2021

Tuesday May 26, 2020 5:30 am PDT by
Apple plans to release several higher-end devices with Mini-LED displays in 2021, including a new 12.9-inch iPad Pro in the first quarter, a new 16-inch MacBook Pro in the second quarter, and a new 27-inch iMac in the second half of the year, according to Jeff Pu, an analyst at Chinese research firm GF Securities. This timeframe lines up with one shared by analyst Ming-Chi Kuo, who recently...

Jailbreak Tool 'unc0ver' 5.0 Released With iOS 13.5 Compatibility

Sunday May 24, 2020 3:06 pm PDT by
The team behind the "unc0ver" jailbreaking tool for iOS has released version 5.0.0 of its software that claims to have the ability to jailbreak "every signed iOS version on every device" using a zero-day kernel vulnerability by Pwn20wnd, a renowned iOS hacker. The announcement comes just days after it was announced that the tool would soon launch. The unc0ver website highlights how the tool...

Future AirPods to Include 'Ambient Light Sensors' Possibly Related to Rumored Health Features

Monday May 25, 2020 2:53 am PDT by
Apple is reportedly looking to integrate light sensors in a new model of AirPods in the next couple of years, according to a new report today, suggesting their use could be part of rumored upcoming health monitoring features in the true wireless earbuds. In a paywalled article, DigiTimes reports that ASE Technology could be involved in manufacturing the sensors: Apple is expected to...

First App Using Apple and Google's Exposure Notification API Launches in Switzerland

Tuesday May 26, 2020 3:02 pm PDT by
The first app that takes advantage of the Exposure Notification API developed by Apple and Google has launched in Switzerland, according to a report from the BBC. A team of app developers working on contact tracing app called SwissCovid have rolled out the app in a beta capacity for members of the Swiss army, hospital workers, and civil servants. After the app is tested and approved by MPs,...

'This App is No Longer Shared' iOS Bug Preventing Some Apps From Opening

Friday May 22, 2020 3:58 pm PDT by
An app bug is causing some iOS users to be unable to open their apps, with affected iPhone and iPad users seeing the message "This app is no longer shared with you" when attempting to access an app. There are multiple complaints about the issue on the MacRumors forums and on Twitter from users who are running into problems. A MacRumors reader describes the issue:Is anyone else experiencing...

HBO Max Now Available on Apple TV and iOS Devices

Wednesday May 27, 2020 2:42 am PDT by
HBO Max launched today, and is now available on Apple TV, iPhone, and iPad. WarnerMedia's new streaming service, which replaces HBO Now, combines HBO content with shows and films from Warner Bros and Turner TV. The service is available as a native app on the ‌Apple TV‌ HD and ‌Apple TV‌ 4K, but second and third-generation ‌Apple TV‌ owners will need to AirPlay HBO Max content...

Apple's Pro Display XDR Wins 'Displays of the Year' Award

Tuesday May 26, 2020 7:45 am PDT by
The Society for Information Display today announced its selections for the 26th Annual Display Industry Awards, and Apple has once again taken one of the top spots, this time with its Pro Display XDR that debuted last year alongside the revamped Mac Pro. The Pro Display XDR was one of three display products named "Displays of the Year," alongside Samsung's foldable display and BOE's...