Evernote hacked, forces password reset

The popular multi-platform, note-taking web application Evernote has had its master website hacked — and you must change your password before you can use it.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

2013 may become known as the year of hacker. Following successful hacks of Apple, Facebook, Microsoft, and NBC's websites and servers, the servers of the popular multi-platform, note-taking web application Evernote have been hacked.

Evernote has been cracked and is requiring all its users to reset their passwords.
Image: Evernote

Evernote reported that while it caught the attack early on, its "investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)"

Despite this encryption, Evernote is requiring all of its users to change their Evernote account passwords. You can do this either the next time you try to use Evernote via the website or by going to the main site now and creating a new password. If you need help with this, Evernote asks that you contact it via its online support webpage.

After signing in to the website, you will be required to enter a new password. Once you have reset your password, you will need to enter this new password on all of your Evernote apps. The company also stated, "We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours."

In addition, the company reminds all Evernote users of the usual precautions you should take with your security on any online account:

  • Avoid using simple passwords based on dictionary words.

  • Never use the same password on multiple sites or services.

  • Never click on "reset password" requests in emails — instead, go directly to the service.

To this list, I might add that choosing the option to stay logged into Evernote for up to a week at a time is not a safe choice.

This successful hacking into Evernote is unlikely to have resulted from hackers simply breaching user accounts. Many successful website hacks in recent weeks have been the result of holes in Java web plugins. As a result, security experts have been warning users to disable Java on their PCs.

This theory seems credible, since, in a statement made to CNET, an Evernote spokesperson said, "Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack. They are continuing to investigate the details. We believe this activity follows a similar pattern of the many high-profile attacks on other internet-based companies that have taken place over the last several weeks."

Nevertheless, he continued, "At this time, we believe we have blocked any unauthorized access, however security is Evernote's first priority. This is why, in an abundance of caution, we are requiring all users to reset their Evernote account passwords before their next Evernote account login."

Related stories

Editorial standards