Evernote's forum site hacked; Note Service untouched

Summary:Password hashes, email address stolen from third-party forum site less than week after DDoS attack

Evernote’s forum site, which hosts 164,644 members, has been hacked, and the note-taking and archiving site sent an email to affected members Monday recommending they change their passwords if those credentials were reused on other sites.

The company said the hackers stole profile data, password hashes, email addresses and birth dates. It did not say how many users were directly affected.

The company, however, stressed that an entirely separate network that hosts the popular Evernote Service was not affected and user notes are secure.

“We do not store your Evernote password on our discussion forum servers and you do not need to change it,” the company said in a blog post on the forum site. Since 2011, Evernote has used a single sign-on (SSO) model where users authenticate to the Evernote Service and an authentication token is passed to the third-party site for access into the forum. The third-party never sees or stores an Evernote user's password.

Just last week, the Evernote Service was disrupted by a denial-of-service attack , which the company announced on the afternoon of June 10. The issue affected the service for the next 32 hours before it was resolved. The service has more than 100 million users. In March 2013, the company sent out an e-mail detailing how its operations and security team had discovered and blocked suspicious activities on its network .

Evernote did not say if the incidents were related.

The forum site is hosted by a third-party that notified Evernote the network was hacked.

“The hacker was able to retrieve our forum members’ profile information. We don’t believe that the hacker accessed any private forum messages,” Evernote said in an email sent to each forum member that was affected.

"If you use that same password on other services today, please update it. For all other forum members, only your email address and birthday, if you provided one, were taken." — Evernote

Evernote told users if they created passwords on the old Evernote forum in 2011 or earlier, (before the implementation of Evernote's SSO) that the hash of those passwords were stolen as part of the incident.

“If you use that same password on other services today, please update it. For all other forum members, only your email address and birthday, if you provided one, were taken.”

Some users who were informed of the incident by Evernote, and that have heeded advice not to re-use passwords across sites, took the news in stride.

“A few years ago such a notice of a data breach might have caused panic. Today I feel not much else other than “another day another online hack,” wrote Wayne Schulz, a consultant and forum member.  “Why? The reason for this is I long ago gave up re-using any password on more than one site. Hackers in general are looking to compromise sites not so they can vandalize them — though that happens too — but more often so they can mine user names and passwords in hopes that the user has carelessly re-used them on another site.”

Topics: Security, Cloud

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.