Share

Related Links

Related Stories

  • New e-shop hawks stolen PayPal accounts
    Hacked PayPal credentials are up for sale in the cybercriminal underworld, arranged in a fast and convenient “e-shop” format.
  • Facebook is the latest media company to admit it was hacked
    On Friday Facebook admitted to being just another hacked media company, joining the New York Times, Washington Post, Wall Street Journal and Twitter in admitting a recent breach – although Facebook claims that no user data was lost.
  • The biter bit – Bit9 hacked
    On Friday whitelist security firm Bit9 admitted that it had been compromised, and that its code-signing certificates had been forged to attack a small number of its customers.
  • US Federal Reserve admits it was hacked on Super Bowl Sunday
    The Federal Reserve confirmed that an internal site was briefly hacked on Sunday, but the US central bank was quick to assure the public that no information was compromised. Still, the success of the operation, such as it was, has some worried.
  • Twitter hacked – 250,000 user details may have been lost
    Late on Friday afternoon Twitter announced that it had been breached and that attackers may have had access to usernames, email addresses, session tokens and encrypted/salted versions of passwords for approximately 250,000 users.

Top 5 Stories

News

Evernote hacked; 50 million passwords reset

04 March 2013

Evernote, an online personal note-taking and archiving service, announced on Saturday that it had “discovered and blocked suspicious activity on the Evernote network,” and had consequently initiated a password reset for its 50 million users.

Neither user content nor customer payment details were accessed, but Evernote admits that the hacker/s gained access to usernames, email addresses and passwords. The passwords were hashed and salted, which delays but does not prevent anything but the strongest of passwords being cracked. For this reason, announced the company, “in an abundance of caution, we are requiring all users to reset their Evernote account passwords.”

The announcement added three pieces of advice: avoid simple passwords that use dictionary words; never reuse the same password on multiple sites; and never click on ‘reset password’ requests in emails. The first gives the user more time to reset a compromised password before it is cracked; the second ensures that a compromised password cannot be used to gain access to multiple accounts; and the third is to defend against phishing attacks and scams (particularly important since it is likely that scammers will take advantage of user confusion and send out emails pretending to be Evernote support.)

Few details on the breach have yet been announced, leaving commentators to search for clues on what actually happened. TechCrunch asked Evernote founder and CEO Phil Libin if the breach was connected to last month’s breach at support company Zendesk, but was told, “We don’t know about all the details at Zendesk, so it’s premature to comment on that.”

CNET was told, “We believe this activity follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks.” This has led to conjecture that the breach may have followed a phishing or spear-phishing attack that resulted in a Java exploit. However, Evernote spokeswoman Ronda Scott told Reuters “that the hackers did not exploit a bug in Java when they broke into the company's system.”

Bob Lord, the company’s information security director, simply told the BBC that the attack “was not the work of amateurs.” The implication is that the breach was quickly noted (on 28 February), rapidly blocked, and disclosed and remedied by the password reset within 2 days. In some instances hackers have been found to have been present on the network for months before discovery, but such details will not become known until the breach has been fully investigated.

Meanwhile, Graham Cluley of Sophos has claimed that “Evernote shoots itself in foot over ‘never click on reset password requests’ advice.” This, says Cluley, is “a very sound piece of advice,” but then points out that the associated email sent to customers includes a link that can be used to reset passwords. To make matters worse, the link is disguised as evernote.com but does not go to evernote.com – it goes to mkt5371.com. In reality, this is an email marketing company. “Presumably,” says Cluley, “that’s so Evernote can track and collect data on how successful the email campaign has been.” Nevertheless, he adds, “You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.”

This article is featured in:
Cloud Computing  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×