Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evernote Security Compromised

Posted by Soulskill on from the 12345-to-123456 dept.

starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."

22 of 104 comments (clear)

  1. Shocking... by ohzero · · Score: 3, Interesting

    One more trendy company that didn't have a security program gets compromised. It's almost as if ignoring the problem doesn't make it go away. Pentest, code review, remediate, and test some more. Or, you know, lose brand value...that's the other option.

    --
    -- http://www.criticalassets.com
    1. Re:Shocking... by Mr+Thinly+Sliced · · Score: 5, Interesting

      As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.

      It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.

      At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.

    2. Re:Shocking... by u38cg · · Score: 5, Insightful

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      --
      [FUCK BETA]
    3. Re:Shocking... by Majik+Sheff · · Score: 2

      Came here to post this exact thing. They REALLY screwed up the notification email.

      --
      Women are like electronics: you don't know how damaged they are until you try to turn them on.
    4. Re:Shocking... by nametaken · · Score: 4, Insightful

      Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.

      Evernote seems to have done what you should do in a situation like this.

    5. Re:Shocking... by icebike · · Score: 2

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      Yeah, I expect they had so many to notify they had to use a service, but if so why leave a link in the email?

      I never even got notified by email, or if I did it was so spammy it got trapped and I'm too lazy to look.

      My android app got an update, and the reason for the update was a security announcement. So I installed it, and it insisted I much change passwords, and took me to the web page to do so.

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:Shocking... by camperdave · · Score: 4, Funny

      I too have only one password to change. I have over a thousand sites I need to change it on, though.

      --
      When our name is on the back of your car, we're behind you all the way!
    7. Re:Shocking... by Xest · · Score: 2

      It's a question of who they get broken into by though.

      For example, Google has been hacked sure, but it's been by state actors (China) who don't give a shit about leaking everyone's personal and credit card details but are more interested in information and espionage.

      No company should be allowing themselves to get hacked by a bunch of script kiddies though who do lose your details left and right like Sony was.

      Further, I'm not even sure your assertion that everyone gets broken into eventually is true. In the industry I work in if we got broken into we'd go out of business overnight so we simply can't afford to let that happen to us. I can think of a number of companies such as banks that have simply never been hacked, but even outside of that has Amazon ever been hacked? eBay? (DDOS doesn't count, that's not a hack).

      Really, without knowing the details of this attack it's hard to speculate reasonably as to whether they should or shouldn't have had this happen to them. If it was something trivial and stupid like an SQL injection attack then they should give up on their business now for being a bunch of incompetent dickheads. If however it was something more sophisticated then fair enough, you can somewhat sympathise with them.

      But either way I think it's dangerous to try and make it acceptable that a company will get hacked by simply saying "Oh it happens to everyone, don't worry, as long as you clean up properly". That's bollocks, and it just gives companies an excuse "Yeah, we know all your credit card details got stolen because we had an open SSH port with root access available and password of 'password' but don't worry, we told you, and reset your password, consider us excused for the fact you will now be a victim of financial fraud!".

  2. Keep it in the cloud by DFurno2003 · · Score: 2

    So that the government and whoever else wants to see your data has 24 hour access to it.

  3. Control the encryption layer by worip · · Score: 2

    If you use a cloud service, use a layer of encryption that is under your control, e.g. truecrypt with dropbox. Problem is that is usually breaks the service. A possible alternative is to build your own cloud with OwnCloud. Note though that nothing as good as Evernote is yet available as a private server.

    --
    A picture is worth exactly 1024 words.
    1. Re:Control the encryption layer by bfandreas · · Score: 5, Insightful

      The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
      If you work under the assumption cloud == public then you will do no wrong.

      ...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.

      To whoever cracked Evernote:
      Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.

      --
      20 minutes into the future
  4. Right to be deleted by mescobal · · Score: 5, Insightful

    I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.

    --
    La culpa no es del chancho...
    1. Re:Right to be deleted by Anonymous Coward · · Score: 2

      Your right to disappear from a service is already granted. The caveat is that it is nullified when you sign up. If you don't want to have troubles deactivating accounts, don't create them.

      You're borrowing their hardware, they're borrowing your content. They want you to come back, and they want you to sign up your friends for the service. This is the carrot, this is the stick.

      If your content is never deleted it also makes account reactivations and complying with court orders a breeze.

    2. Re:Right to be deleted by Threni · · Score: 2

      I just deleted my account, and had to reset my password first - no problem.

    3. Re:Right to be deleted by bfandreas · · Score: 5, Insightful

      And people still laugh when Germany pushes for laws that require companies to give you a big "FORGET ME NOW" button.

      --
      20 minutes into the future
    4. Re:Right to be deleted by Rakishi · · Score: 2

      And if someone hacks your account and deletes it you'll be yelling at them to restore everything you had there.

  5. Re:And Evernote Is? by Scutter · · Score: 4, Insightful

    If you don't know what it is, then you probably don't need to worry that it's been compromised. But if you absolutely must know, then it's literally the first page of hits on Google.

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  6. Re:Give us the keys! by peragrin · · Score: 2

    Because if you haven't figured it out people are on average stupid idiots.

    Take email encryption. After 20+ years there still isn't an easy to use way to send encrypted emails to anyone and get the appropriate security keys.

    that means everyone is using plain text email still.

    --
    i thought once I was found, but it was only a dream.
  7. Re:Give us the keys! by icebike · · Score: 2

    What keys are you speaking about?

    From TFA

    In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

    The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.

    Evernote has passwords, like just about every site. What you put on evernote is your business, but without additional layers of encryption most people don't put anything up there that is super secret. Most people use if for notes and stuff they need for quick reference on the go. Its a tool of convenience not a bank vault.

    --
    Sig Battery depleted. Reverting to safe mode.
  8. Re:And Evernote Is? by crashumbc · · Score: 4, Insightful

    It also used to be a "geek" site...

    If you don't know what Evernote is, and if you can't use google, well maybe /. isn't the problem.

  9. Re:Give us the keys! by Threni · · Score: 2

    No, we're using Dropbox, Evernote, Google Drive and email with Truecrypt files. I tend to not use email for secure comms now; just edit a text file in a folder dropbox is configured to watch and as soon as you unmount the file it gets synced up and the recipient notified. I'd use Drive except it doesn't understand the concept of only syncing the part of the Truecrypt file which has changed, uploading instead the whole Truecrypt file. Even that would work for small files though.

  10. Re:Give us the keys! by icebike · · Score: 2

    You apparently don't know how most cloud storage systems work.

    And you apparently don't have a clue about Evernote. Its not a "cloud storage" system.

    Run along now sonny. I've got work to do.

    --
    Sig Battery depleted. Reverting to safe mode.