Evernote Note-Taking, Archiving Service HackedUsernames, E-mail Addresses, Encrypted Passwords Exposed
In warning customers of a breach, the online note-taking and archiving service Evernote might have confused some of its 50 million customers by sending them an e-mail that contained a clickable link to be used to reset passwords, despite warning against using such links.
Evernote says a breach that occurred late last week exposed some of its 50 million customers' usernames, e-mail addresses and encrypted passwords, and is requiring customers to reset their passwords. Evernote says its passwords are one-way encrypted - in technical terms, they're hashed and salted.
Chief Technology Officer Dave Engberg, in a company blog, says its security team had found no evidence that any of the content customers stored in Evernote was accessed, changed or lost. Engberg also says the company has no evidence that payment information for Evernote Premium or Evernote Business customers was accessed.
"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure," Engberg says, referring to the passwords' resets.
Engberg says Evernote sent e-mails to customers notifying them of the breach, but as security blogger Graham Cluley points out, the e-mail contains a link to reset the password even though it instructs customers "never click on 'reset password' requests in e-mails - instead go directly to the service."
That confused a customer identified as Brian Ogilvie, who wrote on Evernote's chat site that he didn't believe the e-mail he received from the company. "I thought it was a phishing attack since the link in the e-mail to reset the password was not in the Evernote.com domain but mkt5371.com. That was a bad idea."
Mkt5371 is the site of the marketing service Silverpop, which Evenote employs, so it could track and collect data on how successful the e-mail notification worked, explains Cluley, who writes for the blog nakedsecurity that's posted on the website of security provider Sophos.
"This was just carelessness on Evernote's part," Cluley writes. "That's a technique commonly used in a normal marketing e-mail communications, but looks very out of place in an e-mail about a security breach. ... You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an e-mail with links like that."