Evernote hacked, forces password reset

Evernote hacked, forces password reset

Summary: The popular multi-platform, note-taking web application Evernote has had its master website hacked — and you must change your password before you can use it.

TOPICS: Security, Networking

2013 may become known as the year of hacker. Following successful hacks of Apple, Facebook, Microsoft, and NBC's websites and servers, the servers of the popular multi-platform, note-taking web application Evernote have been hacked.

Evernote has been cracked and is requiring all its users to reset their passwords.
(Image: Evernote)

Evernote reported that while it caught the attack early on, its "investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)"

Despite this encryption, Evernote is requiring all of its users to change their Evernote account passwords. You can do this either the next time you try to use Evernote via the website or by going to the main site now and creating a new password. If you need help with this, Evernote asks that you contact it via its online support webpage.

After signing in to the website, you will be required to enter a new password. Once you have reset your password, you will need to enter this new password on all of your Evernote apps. The company also stated, "We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours."

In addition, the company reminds all Evernote users of the usual precautions you should take with your security on any online account:

  • Avoid using simple passwords based on dictionary words.

  • Never use the same password on multiple sites or services.

  • Never click on "reset password" requests in emails — instead, go directly to the service.

To this list, I might add that choosing the option to stay logged into Evernote for up to a week at a time is not a safe choice.

This successful hacking into Evernote is unlikely to have resulted from hackers simply breaching user accounts. Many successful website hacks in recent weeks have been the result of holes in Java web plugins. As a result, security experts have been warning users to disable Java on their PCs.

This theory seems credible, since, in a statement made to CNET, an Evernote spokesperson said, "Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack. They are continuing to investigate the details. We believe this activity follows a similar pattern of the many high-profile attacks on other internet-based companies that have taken place over the last several weeks."

Nevertheless, he continued, "At this time, we believe we have blocked any unauthorized access, however security is Evernote's first priority. This is why, in an abundance of caution, we are requiring all users to reset their Evernote account passwords before their next Evernote account login."

Related stories

Topics: Security, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Considering that Steven didn't mention MS, could it be. . . .

    that Evernote uses Linux servers and got hacked? Could it be?
    • We don't even know how Evernote was hacked.

      And yet you're already trying to generate spin? Geez.
      • Steven said it was hacked,

        therefore, it must be. As one of his minions, you must accept everything he says.

        Therefore it was hacked. I asked a question, based on Steven's past reporting habits. If they'd been using MS products, he would have had a field day.

        Therefore, you must be the one generating spin. I'm just asking a question, COULD IT BE?
        • Did you know that MS was also hacked recently?

          The details are here:
          http : / / blogs.technet.com/b/msrc/archive/2013/02/22/recent-cyberattacks.aspx

          Again, I have no details of how this happened. Except that I'm fairly sure that they weren't running Linux.

          Perhaps Evernote was running Windows, and was hacked in the same way that MS was?
          • read ability

            >>>Perhaps Evernote was running Windows, and was hacked in the same way that MS was?

            No, Evernote was not involved to this, just read what they write on site you linked.

            >>As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.

            Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations

            They where hacked in the same way that Apple, by using Apple OS, OS who have nix kernel...
          • Yes, MS is being coy here.

            MS doesn't say how it was hacked at all here, although it does make some innuendoes. But saying:

            "we found a small number of computers, including some in our Mac business unit"

            isn't the same thing *at all* as saying "they hacked their way in via our Macs".
          • Anyway, Apple and Facebook seem to have been hacked via Java.

            Since people insist on playing "COULD IT BE?" games, COULD IT BE that Evernote was also hacked via Java? And MS too, for that matter?
          • Wheather MS was hacked or not is unimportant

            this is about evernote. I asked a question, you immediately went into FUD mode, just like Linux fans regularly accuse MS.

          • And we don't know what Evernote is running.

            Do you know? If so, please reveal.

            And the reason I mentioned MS getting hacked is because it suggests that running Windows might not have prevented Evernote getting hacked. (MS is assumed to run Windows internally and know how to administer it.) In which case, why do you even care what Evernote is running?
          • Tsk. Also meant to add that...

            ... we have almost ZERO information about how Evernote was hacked too. So your "COULD IT BE..." games are doubly silly.
    • Yep that's an Apache server

      Whether it's running on Windows, Unix or Linux would be the question.

      Perhaps Steven can enlighten us ;-)
  • Yep

    My app is saying my password has changed. Should I have gotten an email?
    • E-Mail

      If you changed your password, you should get an e-mail letting you know that it was successful. If you haven't changed it and you're getting a notice from your app. I'd check in with Evertnote support pronto:


    • Evernote pw not changed

      jpolk84 thinks his password was changed, and he did not get an email. Most likely his mobile app is "prompting" for the password, which has been reset by Evernote to protect his account. It has not been changed, just flagged for a new password. Logon to Evernote and follow their password reset procedure.
  • Really nothing to do with Java.

    It's a web-server that's been rooted. No connection with end-users whether they run jvm or not, so its not the slightest bit fair to imply any fault of the user. This was a weakness by Evernote, no-one else except the crackers is to blame.
    • Where does it say that?

      I haven't seen anything anywhere about a Web server getting rooted.

      But the advisory does say:
      "We believe this activity follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks."

      If by this they mean Apple and Facebook then maybe Evernote *was* Java-related?
      • I see the "phantom flaggers" have arrived.

        Although they obviously had nothing useful to add to the discussion...
  • Corporate Bad Security Habits

    sjvn's comment, "To this list, I might add that choosing the option to stay logged into Evernote for up to a week at a time is not a safe choice." hints at the REAL problem here. Evernote, like so many other companies, is encouraging customers to do a few "feel-good" actions, but they are NOT encouraging nor practicing complete, sound security themselves.

    It does no good to encourage the users to use strong passwords if they lave the password info on the server in a place where hackers can get it, nor if they allow access to HTTP clients that present the right cookies.
  • Evernote library gone

    I reset my pw and when it logged back in, all of ,y Evernote data was gone...all of it. Tried syncing with the server but nothing. Has this happened to anyone else?