Evernote breached, forces service-wide password reset

The popular notetaking and archiving service Evernote has notified its 50+ million users that the service’s internal network has been breached by attackers and that they are forcing a password reset for all users.

“In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed,” Evernote CTO Dave Engberg wrote in a blog post published on Saturday.

“The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.”

Even though the passwords were hashed and salted – which algorithm is used to do this is not mentioned – the company has decided to make users reset their passwords just in case.

They are also required to enter the new password in other Evernote apps they use, and were notified of imminent updates to several of them.

“As recent events with other large services have demonstrated, this type of activity is becoming more common,” wrote Engberg, possibly implying that the breach was effected via the exploitation of the Java 0-day vulnerability as was the case in the recent watering hole attacks that compromised Facebook, Apple, Twitter and Microsoft.

The blog post was also sent to all users in an email, as a way of explaining what happened and why they’ll have to choose new passwords. Unfortunately, it contained an embedded link that would take them to the account, even though they advised users against clicking on “reset password” requests in emails towards the end of the message.

A lot of users have become worried that the message was a phishing attempt, especially because the offered link pointed to what obviously wasn’t the official Evernote login page. The company rectified the mistake in the middle of the email campaign, removed the link, and explained that the link was legitimate and was generated by their email service provider.

According to a statement issued by the company, the compromise was discovered on February 28, so the notification to users was set out pretty fast. Even so, it would have been great to be told how the breach was pulled off.

“Whilst no compliance violations appear to have taken place at Evernote, the company will still have to deal with the negative impact on the brand and customer confidence. And though it’s reassuring that no customer data appears to have been tampered with and no payment information has been compromised, the company has rightly called on its 50 million users worldwide to reset their passwords as soon as possible,” Paul Ayers, VP EMEA of Vormetric, commented for Help Net Security.

“Unfortunately this type of data breach is becoming more and more common. Company data, sensitive or otherwise, resides on servers that are under siege by cybercriminals. Unfortunately, legacy controls are unable to counter the new breed of persistent attacks and, as such, organisations need to re-evaluate their existing security postures to meet tomorrow’s threat. In order to be effective in this evolving security landscape, organisations must apply access controls with encryption as close as possible to any sensitive customer data in order to mitigate the impact of breach incidents.”

Don't miss