UPDATED 06:50 EST / MARCH 04 2013

NEWS

Stupid Evernote Can’t Even Reset Passwords Properly

What with the likes of Apple, Facebook and Twitter all falling victim to high profile hacks in recent weeks, few were surprised to hear of Evernote suffering a similar security breach last weekend. Evernote, which is a kind of web-based scrapbook/notebook that allows you to save notes and webpages, and sync this across multiple devices, moved quickly to repair the damage, resetting the passwords of its 50 million-odd users, but the cock-up didn’t quite end there.

Evernote deserves some credit for admitting the breach as quickly as it did, informing its users of the problem via email much more swiftly than Facebook and especially Apple did so. But in their haste to do so, the company made one almighty foul-up, sending what looks to be a spoof link in their password-reset email.

No doubt Evernote thought by acting so quickly it would help to ease the concerns of its 50 million users. The company’s email explaining the situation was quick to point out that no data had been accessed, changed or stolen, adding that none of its customer’s financial details had been accessed. However, the fact remains that user names, passwords and emails were all stolen, and though Evernote’s passwords are hashed and salted and not at all easy to crack, it didn’t want to take any chances.

Evernote’s email states:

“in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.”

But this is where the problem lies, for Evernote goes on to insert a link in the email, redirecting users to http://links.evernote.mkt5371.com. This isn’t the full URL, as each user will have a unique version, but anyone with even the most rudimentary knowledge of email security would have alarm bells ringing in their ears. The URL looks remarkably similar to those used by email scammers, or phishers, that send fake emails from official services like PayPal and banks, asking recipients to click on a link and reset their password.

The issue here is that mkt5371.com is NOT Evernote.com, so what/who the hell is it?

 

Actually, the link is totally innocent, simply being the URL to the mail server of Silver Pop – the marketing firm handling Evernote’s response to the breach. Users can click the link and safely reset their passwords, but the point is, how many people refused to do so because they thought it was a scam? Quite a few, methinks.

To make matters worse, Evernote finishes off its email with a quick heads up, reminding users to NEVER CLICK ON PASSWORD RESET LINKS in an email, but instead go directly to the service… This is after twice prompting users to click on the dodgy link its sent. Umm…?

So what to make of all this? Well, first of all, kudos to Evernote for at least trying to reassure people and clean things up as quickly as they can, but one has to wonder about a company that acts in such an amateurish fashion.

For instance, if the hackers managed to access the user names and the passwords, what’s to stop them from logging into Evernote and resetting someone’s password themselves? All they need to do is decrypt the original password and they’re in, but somewhat worryingly Evernote hasn’t revealed what kind of encryption it’s been using.

Data breaches of this sort have become all too common lately, and if they continue we could well see much wider repercussions for cloud-based services – will consumers simply become desensitized to this kind of security risk and continue to place their trust in them anyway, or will people begin to migrate away from the cloud to more secure environments?


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU