Evernote, the popular Internet-based note-taking service, has posted an advisory that it has been subject to a security breach that they believe allowed hackers to infiltrate and take usernames, associated e-mail addresses and encrypted passwords of the 50 million users who are registered.
In addition to the advisory, Evernote users will be asked to reset their passwords immediately–a heavy-handed but fitting precaution to keep their users safe from potential harm. If you have not logged into your account since Friday, be sure to do so and get your password changed immediately.
“While our password encryption measures are robust,” writes Evernote in the advisory, “we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords.”
Also in good form, Evernote stores passwords in an encrypted hashed and salted form and that’s what attackers absconded with. In the past we’ve seen situations where attackers pilfered poorly encrypted passwords (as in LulzSec’s June 2011 rampage) and that leaves a multitude of users instantly vulnerable to attack against other services they might be subscribed to. However, even salted-and-hashed, encrypted passwords can still be decrypted, it will just take the attackers longer to do so—this gives crisis management time to allow users to get their passwords changed and squared away.
Evernote cautions users with standard security advice: avoid using simple dictionary-based passwords (to avoid cracking), never use the same password across multiple services (especially not with the same username/e-mail), and never click on “change password” from an e-mail, instead go to the service itself and use their page directly (to avoid spear-phishing attempts.)
These sorts of attacks by hackers have had the appearance of accelerating of late (with hits to services such as Twitter, LinkedIn, Instagram etc.), but by and large they’ve been at about the same base rate. Companies who get hacked have simply had the better sense of notifying their customers, LulzSec and others have made the activity famous by releasing publicly the fruits of their exploits, and the media has been shining a brighter light on the subject.