Evernote, the popular online personal organiser have had to issue a password reset for all their users after hackers penetrated the company’s protection systems and accessed login credentials. The company sent out an email to customers.
The Evernote team found out about the attack and subsequently blocked ‘suspicious activity on their network that appears to have been a coordinated attempt to access secure areas’ of the service. The company posted a blog detailing the problem and the investigation is still ongoing. The database containing user names, email addresses and passwords had been accessed by the intruders.
The company use ‘one way encryption’ which is hashed and salted, to protect their data, so Evernote have said the damage was limited. The company have also said that there is no evidence that payment card details or stored data has been exposed.
Evernote said “As a precaution to protect your data, we have decided to implement a password reset.”
They added “Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use.”
The company reminded customers not to use simple passwords based on words found in dictionaries and never to use the same passwords across multiple websites or services.
Evernote said “As recent events with other large services have demonstrated, this type of activity is becoming more common.”
The company added that users should never click on ‘reset password’ links in emails. They recommend that people go to the website directly to reset passwords, rather than risk it in any email. This comes after the company made a mistake in an email they sent out to customers after the hack. They sent one with a subject line “Evernote Security Notice: Serivce-wide Password Reset.” which contained some embedded links to evernote.com. If the user hovered over the link , evernote.com appeared to link to a mkt5371.com domain. This was spotted by Graham Cluley of Sophos on the Naked Security Blog. It was a ‘marketing mistake’ as the domain is owned by email communications firm Silverpop who sent the email out on Evernote’s behalf.
Cluley said “It looks very out of place in an email about a security breach which tried to hammer home the point to ‘Never click on ‘reset password’ requests in emails–instead go direct to the service. You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.”
Kitguru says: A bit of a mess all round for Evernote. A lesson learned the hard way.