Evernote hacked: resets all passwords - gHacks Tech News

Evernote hacked: resets all passwords

The note-taking service Evernote has posted a security advisory on its website informing the public that the company's Operations & Security team has discovered - and blocked - suspicious activity on the Evernote network.

An investigation of the matter revealed that the attackers managed to download user information, usernames, email addresses and encrypted passwords but did not access data stored by users on Evernote's servers.

The company made the decision to reset all user account passwords as a precaution. The past has shown that brute force attacks on dumped password databases will return a large number of valid passwords in short time. By resetting all passwords, Evernote blocks the attacker from accessing the accounts using those decrypted information.

With the passwords being unusable to gain account access, hackers are left with a database full of usernames and email addresses. It is certainly possible that the information could be abused by sending out emails to customers claiming it is coming from Evernote to trick them into visiting a malicious website.

Evernote has sent out emails to all of its users informing them about the security breach. While that is reasonable, considering that the majority of users are probably not reading security advisories that the company posts, the team that created the email made a major mistake according to the Naked Security blog.

Both the security notice on the Evernote website and the email give the following sound advice:

Never click on 'reset password' requests in emails — instead go directly to the service

The email that Evernote sent out contains a password reset link that the company added to it. To make matters worse, it does not link directly to an Evernote server, but uses an email marketing domain as a redirect which makes it look like a phishing link.

I'd recommend to visit the Evernote website directly using your web browser of choice to select a new account password for the account.

evernote login screenshot

It is recommended to change the account password on other websites as well if you have been using the very same password for your accounts on these sites.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. ilev said on March 3, 2013 at 4:22 am
      Reply

      All 50 million users data has been downloaded.

    2. John Sha said on March 3, 2013 at 4:25 am
      Reply

      This type of attacks and viruses are becoming so much common. Every now and then there is an email saying ‘PayPal need more info’ etc. But we see so much less efforts to tackle these situations.

    3. Lorenzo said on March 3, 2013 at 6:31 am
      Reply

      This is why we have not upload private data on network :/

    4. Grantwhy said on March 3, 2013 at 6:52 am
      Reply

      —–
      Both the security notice on the Evernote website and the email give the following sound advice:

      “Never click on ‘reset password’ requests in emails — instead go directly to the service”

      The email that Evernote sent out contains a password reset link that the company added to it. To make matters worse, it does not link directly to an Evernote server, but uses an email marketing domain as a redirect which makes it look like a phishing link.
      ——

      >> insert Picard, Riker Double Facepalm here <<

      Kind of like the business (true story) who would send out forms to people and in bold letters that the beginning of the form asked them to fill out the form with a BLACK pen. And they were kind enough to sent out a free pen with every form. Only problem was that it was a BLUE pen. And they did that for almost five years (because they wanted to give away all the pens)

    5. Don't do said on March 3, 2013 at 7:11 am
      Reply

      Cloud computing.

    6. Peter888 said on March 3, 2013 at 1:52 pm
      Reply

      Lorenzo, this is why one must never upload private data on network.

    7. ilev said on March 3, 2013 at 3:04 pm
      Reply

      Resetting the password isn’t enough. Users must change their user-name and their email address, used everywhere, as those have been already sold to spammers.

    8. berrtie said on March 3, 2013 at 3:47 pm
      Reply

      At the very least anything stored on the cloud should be securely encrypted.

    9. berrtie said on March 3, 2013 at 3:48 pm
      Reply

      Forgot to add, with your own keys, not those of the service.

    10. bubba said on March 5, 2013 at 3:02 pm
      Reply

      Does anyone really even use evernote, NEVERNOTE sounds like a better name.

    Leave a Reply