Brian Krebs 2-Mar-2013 (krebsonsecurity)
Online note-syncing service Evernote is forcing all of its 50 million users to reset their passwords after detecting suspicious activity on its network.
In an email message sent to users today and posted on its blog, Evernote said digital intruders gained accessed to customer usernames, email addresses and encrypted passwords. The company says it has found no evidence that any of the content that users store in Evernote was accessed, changed or lost, and that there is no indication payment information for Evernote Premium or Business customers was accessed.
“Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted),” the company advised. “While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords.
Please create a new password by signing into your account on evernote.com.”https://krebsonsecurity.com/2013/03/evernote-forces-password-reset-for-50m-users/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29=========
From EvernoteSecurity Notice: Service-wide Password ResetEvernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.The investigation has shown, however, that the individual(s) responsible
were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:
Avoid using simple passwords based on dictionary words
Never use the same password on multiple sites or services
Never click on 'reset password' requests in emails — instead go directly to the service
Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.
Evernote Supporthttps://evernote.com/contact/support/Link to full announcementhttps://evernote.com/corp/news/password_reset.phpSalt (cryptography)https://en.wikipedia.org/wiki/Salt_%28cryptography%29Hash functionhttps://en.wikipedia.org/wiki/Hash_function
