50 million users compromised in Evernote hack
(CNN) — Tens of millions of online note-takers found themselves worrying about their security Monday, as questions remained about a weekend hack of Evernote.
The online note-taking and archiving service began requiring its 50 million users to reset their passwords Saturday after announcing it was the victim of a security breach, making it the latest tech company in recent weeks to fall victim to hackers.
In a blog post, the California-based company said its security team “has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.”
The company said no user content or financial information was accessed. But the hackers were able to access user information, including user names, e-mail addresses and encrypted passwords.
Evernote said the encryption coding they use to protect passwords is “robust,” but still sent the password warning to users of the service, which is popular among college students and others who rely on taking notes for later use.
Sophos Security analyst Graham Cluley said in a blog post that it remains unclear how long the hackers had access to Evernote and how they managed to get in.
“What’s not good news,” he wrote, “is that the hackers now have access to the usernames and email addresses of Evernote customers. It is easy to imagine how this information could be abused — for instance, the hackers could send out spam emails to those users claiming to come from Evernote, and trick them into visiting a malicious website.
“And, of course, it’s another cautionary tale about the risks which can exist with trusting the cloud to look after your personal information.”
Like many services, Evernote stores data on remote servers instead of the user’s computer. This allows them to be accessed from multiple computers and other devices.
Evernote warned users of the possibilities Cluley noted. He argued that their message — warning users not to click phony security e-mails while sending out a security e-mail of their own — could confuse users.
Complicating matters is that the legitimate Evernote e-mail pushes users first to a website with the domain name “mkt5371” before taking them to Evernote itself. Cluley wrote that this is a service Evernote is likely using to track how many of its users changed their passwords and says not to worry.
“That’s a technique commonly used in a normal marketing email communications, but looks very out of place in an email about a security breach which tries to hammer home the point to ‘Never click on reset-password requests in emails,” he said.
Last week, customer support tool Zendesk announced it was hacked, with the breach exposing the e-mail addresses of users of three other websites — Tumblr, Pinterest, and Twitter, all of which use Zendesk.
Microsoft, Apple, and Facebook last month said they were the victim of hackers, and Twitter said in January that it, too, was hacked.
Reports that surfaced last week suggested that a gang of hackers based in Eastern Europe was behind at least some of the attacks, using a website frequented by developers who use Apple’s mobile operating system to worm their way into companies where they hoped to steal valuable information.
Evernote launched in 2008 as a way to archive images, documents, notes and other data online. A version for businesses is available in more than 30 countries.