Comments:"Evernote DB Popped – Usernames, Email Addresses, & Hashed Passwords Exposed"
We found out this morning that the popular Evernote service has released a security notice due to suspicious activity on their network. Apparently attackers had access to user login details, including usernames, email addresses, and hashed passwords. And here we thought we weren’t going to have anything to write about this weekend. Thanks to @MarcoFigueroa for the more aptly named post title… As usual Evernote is forcing a password reset for all accounts.
Being a paid subscriber for several years and wishing for more security features, I hope this incident is the little extra push they need to provide the capability for note, notebook, or account client-side password encryption similar to how LastPass stores password databases. Basically everything is a big blob that not even LastPass has access to. It would be nice for Evernote to follow their footsteps. And of course this incident is sure to bring up a multitude of people calling for implementation of two-factor authentication.
Here’s the Evernote advisory with several of the more interesting quotes highlighted and commented on.
Evernote’s Operations & Security team has discovered and blocked suspicious activity (finally people are starting to monitor more. hopefully they actually detected it and were not only responding to external notification) on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service. As a precaution to protect your data, we have decided to implement a password reset (standard response). Please read below for details and instructions. In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost (mmm? but was there any evidence to the contrary?). We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed. The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords (and the passwords cracking begins). Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted (great, but we need a little more information here … e.g., was it MD5? was SHA-1 used? was it plain old hash & salt or something more secure like PBKDF2, BCrypt, or SCrypt?).) While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com. After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours. As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content. There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure (yep, your standard “pick good passwords when resetting” statement): Avoid using simple passwords based on dictionary words Never use the same password on multiple sites or services Never click on ‘reset password’ requests in emails — instead go directly to the service Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience (please don’t sue us). If you have any questions, please do not hesitate to contact Evernote Support.#####
Today’s post pic is from Being Hacked. See ya!
Tags: evernote, hashed passwords, password reset