Online note service Evernote latest firm to get hacked
Company behind application used by about 50 million people says some user data was accessed, and it requires all users to reset passwords.
- Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Yet another company has fallen victim to a hack, with attackers breaking into systems at Evernote, maker of a Web-based note-taking application used by about 50 million people.
The company said in a security notice that some user data had been accessed and that Evernote was requiring all users to reset their passwords. Apparently, though, no sensitive financial information was stolen, and no user content was affected:
"In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost," the company said in the statement, which was e-mailed to users and posted online. "We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed."
What was accessed, the company said, were usernames, e-mails addresses associated with Evernote accounts, and encrypted passwords. The company emphasized in the notice that "the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)"
The notice goes on to walk users through the password-reset process and to give tips on how to create an effective password.
Evernote is just the latest company to suffer at the hands of hackers. Microsoft, Apple, Facebook, and Twitter have all been victimized recently. And of course there were the high profile hacks at The New York Times, The Washington Post, and The Wall Street Journal that helped prompt President Obama to sign an executive order on cybersecurity.
There has been speculation that the Chinese military was behind the hacks at the newspapers -- though the Chinese government denies this -- and that the Apple, Facebook, and Twitter hacks may have been the work of Eastern European cybercriminals.
In a statement sent to CNET, an Evernote representative said the breach of the company's systems "follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks." The representative also addressed our question about what Evernote is doing to reassure current and potential users about the safety of its products. Here's the rep's statement in full:
Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack. They are continuing to investigate the details. We believe this activity follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks.
At this time we believe we have blocked any unauthorized access, however security is Evernote's first priority. This is why, in an abundance of caution, we are requiring all users to reset their Evernote account passwords before their next Evernote account log-in. We are actively communicating to our users about this attack through our blog, direct e-mails, social media, and support. This simple step of users creating strong, new passwords will help ensure that user accounts remain secure.
As you point out, attacks like this are becoming more commonplace for all Internet-related companies and services. Evernote's ops and security team ensures we are using the latest and strongest security protocols. In addition, the team continuously and aggressively monitors for unusual activity patterns. This allows us, as was the case in this instance, to catch new and novel attack types as soon after they begin as possible.
Update, 10:45 a.m. PT: Adds statement sent to CNET from Evernote representative.