Evernote User Accounts Compromised

Evernote, today, reported that they detected and blocked suspicious activity on their network. As a precaution, they say, they’ve implemented a password reset for all users. When I first read about this, it sounded as if they had already reset your password and you would need to have it emailed to you. Instead, an email sent out instructed users to log in and change their passwords upon login.

What Happened?

Anything I say here would be purely speculation. However, attacks are often as simple as a SQL injection. This usually happens when a website takes user input (like a contact form or blog comment form) and does not properly run it through the ringer before adding it to a database. It’s more common than you think. For anyone interested in a more technical view of security vulnerabilities, check out OWASP’s Top 10 Project. In reality, any number of things could have let in a hacker and it’s too early to say for sure.

Should I Worry?

This is a two-part answer. First, your Evernote account is fine. According to Evernote, no data stored was lost or accessed (other than your credentials, of course). Just reset your password and you should be OK. Your other accounts, may not be, however. Take a look at the most important part of Evernote’s statement:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

This tells me that my username, email and encrypted password are out there in the hands of a hacker and because Evernote is a large service, it wouldn’t surprise me if a torrent file of this information shows up for download by anyone with an internet connection. “hashed and salted” means that, like they said, it’s one-way encryption. A hacker can try to encrypt a word using the same methods and see if it matches the blob of characters next to your username, but they can’t directly decrypt your password. This is important, but if your password was cracked, the hackers would now have a username/email/password combination to try on many other services. If I were that hacker, I would start with other cloud services, namely Apple’s. If you use the same username and password anywhere else, you should change your password there, too.

How To Protect Yourself

While websites and online services have legal and ethical obligations when it comes to storing your information, you should have some rules of your own.

Use a secure password that you can remember. The word “password” is sadly not only the most insecure password, but also the most popular. If it was easy for you to come up with and type in, it’s likely easier to crack. Don’t use your birthday, any word that can be found in a dictionary, or anything someone could guess with a little information about you.

Don’t write it down if you can help it. If I was in your house and wanted to get into your computer, the first place I would look is under your computer. Shockingly often, people just put their password on a sticky note and stick it to their monitor. The password is only as good as the user. Protect it like you’re protecting what it gets access to. If you wouldn’t leave your life’s savings on your desk, don’t put your password to it there, either.

Split up your passwords. This is a hard pill to swallow, but you absolutely should use a different password for each site. The cost is convenience, but the reward is not having every account you have hacked just because one site let your password get out. If this is too hard for you, use individual passwords for any site with finances, or sensitive information and another “global” password for the 150 other sites that are less critical.

Don’t just stick to one rule, either. I know from experience that thinking you’re doing so awesome with one rule (like having an incredibly hard to crack password) excuses you from the other rules is a good way to get hacked.

Author: Joe Colburn

Joe Colburn is a software engineer specializing in PHP and a technology enthusiast. Always eager to dive into new and exciting things, Joe writes about anything technology related news and products that he thinks you will also be excited about. Find Joe Colburn on Google+ or by any of the links below.

30 thoughts on “Evernote User Accounts Compromised”

  1. Wow, I didn’t get a notice regarding my password, but it’ll be a good idea to change my pass anyway. If you’re using a lot of services, maybe using a password tracker like KeePass (http://keepass.info/) can help keep ’em organized.

  2. Changing passwords ever so often is a good practice for any and all accounts/profiles. Using unique combinations of numbers and letters plus different case set is a good way to protect yourself.

  3. Changing your passwords every 3 months, I think is good practice to try and avoid this type of situation. More and more often you hear about security breaches like this so it is best to try and stay ahead of things.

  4. There are lot of password are assigned by me to the different websites. Its so difficult to find out and understand them. I hear that there are lot of software for managing passwords. but I don’t use them. I note down them in my PC and store them. It is not so secure but I do that in my personal folders… Its a very nice concept and content to share..

  5. You’ll find wide range of private data tend to be assigned by means of everyone to the different web sites. This is so difficult to acquire out and about along with understand these individuals.

  6. Ya, its good to update our password regularly. Its a good way to protect yourself with the use of password that contain numbers with letters.

  7. Make sure to use a different password for every account..”.Always use special symbols like @,%,*,digits in your password , to prevent from hackers. This is old and tedious and unrealistic advice

  8. Your password should be a good mix of letters and numbers that do not mean anything. Have different for all social media and forums, etc. that you are in and the need to log on. Unfortunately, you have to keep in mind all the different codes.

  9. As the internet market growing daily,its very important to protect oneself. I do agree with all the ideas you have presented in your post. They are very convincing and will definitely work. Thanks for the post.

  10. I try to reset my passwords as often as I can to avoid any trouble. I am sure the Evernote accounts will be fine. Just make sure your email password is not the same as your Evernote account info.
     
    – Robert

  11. I personally feel that this type of good sites should be developed by more people to provide secure net surfing in budget.Security is main issue while surfing social sites.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.