Evernote Security Breach

You read my privacy article RIGHT! I suspect that there a few new Evernote users after my Evernote article. If you are a  haven’t checked your email then this is what you’ll find:

Dear Evernote user,

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:

• Avoid using simple passwords based on dictionary words
• Never use the same password on multiple sites or services
• Never click on ‘reset password’ requests in emails – instead go directly to the service

Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.

The Evernote Team

Immediately go to Evernote.com and reset your password. You should also get a notification when you start up Evernote on your computer about downloading a new version. Download the new version immediately as well.

In the world of data breaches this event is not as bad as has been seen with some other services. It appears that Evernote has handled the unfortunate event in good form. Alerting users to the breach and immediately reseting user passwords is probably the best response. The fact that Evernote uses a best practice approach when it comes to password storage makes me feel a little less worried.

Evernote salts the passwords. This means that they put a random bits of data before your password. After that they then use a hashing mechanism before saving the password. This means they use a mathematical algorithm to one way convert the salt and password into a form that is unreadable by anyone. Since the salt is random it means that if someone has it the possibility of them guessing the password is greatly reduced.

Another word of caution. This breach allowed the attackers to get your email address. Please take extra caution when receiving any emails. If you didn’t request a password reset email then ignore it. Report it to the service provider immediately. Remember, service providers will not ask you for your current password via email. A good idea is that if you have any concern about if you’re receiving a trustworthy email is to just open your browser and directly go to the service’s site. This will prevent you from clicking any fraudulent links in the email.

Keep safe out there!