Neither user content nor customer payment details were accessed, but Evernote admits that the hacker/s gained access to usernames, email addresses and passwords. The passwords were hashed and salted, which delays but does not prevent anything but the strongest of passwords being cracked. For this reason, announced the company, “in an abundance of caution, we are requiring all users to reset their Evernote account passwords.”
The announcement added three pieces of advice: avoid simple passwords that use dictionary words; never reuse the same password on multiple sites; and never click on ‘reset password’ requests in emails. The first gives the user more time to reset a compromised password before it is cracked; the second ensures that a compromised password cannot be used to gain access to multiple accounts; and the third is to defend against phishing attacks and scams (particularly important since it is likely that scammers will take advantage of user confusion and send out emails pretending to be Evernote support.)
Few details on the breach have yet been announced, leaving commentators to search for clues on what actually happened. TechCrunch asked Evernote founder and CEO Phil Libin if the breach was connected to last month’s breach at support company Zendesk, but was told, “We don’t know about all the details at Zendesk, so it’s premature to comment on that.”
CNET was told, “We believe this activity follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks.” This has led to conjecture that the breach may have followed a phishing or spear-phishing attack that resulted in a Java exploit. However, Evernote spokeswoman Ronda Scott told Reuters “that the hackers did not exploit a bug in Java when they broke into the company's system.”
Bob Lord, the company’s information security director, simply told the BBC that the attack “was not the work of amateurs.” The implication is that the breach was quickly noted (on 28 February), rapidly blocked, and disclosed and remedied by the password reset within 2 days. In some instances hackers have been found to have been present on the network for months before discovery, but such details will not become known until the breach has been fully investigated.
Meanwhile, Graham Cluley of Sophos has claimed that “Evernote shoots itself in foot over ‘never click on reset password requests’ advice.” This, says Cluley, is “a very sound piece of advice,” but then points out that the associated email sent to customers includes a link that can be used to reset passwords. To make matters worse, the link is disguised as evernote.com but does not go to evernote.com – it goes to mkt5371.com. In reality, this is an email marketing company. “Presumably,” says Cluley, “that’s so Evernote can track and collect data on how successful the email campaign has been.” Nevertheless, he adds, “You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.”