Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evernote Security Compromised

Posted by Soulskill on from the 12345-to-123456 dept.

starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."

10 of 104 comments (clear)

  1. Shocking... by ohzero · · Score: 3, Interesting

    One more trendy company that didn't have a security program gets compromised. It's almost as if ignoring the problem doesn't make it go away. Pentest, code review, remediate, and test some more. Or, you know, lose brand value...that's the other option.

    --
    -- http://www.criticalassets.com
    1. Re:Shocking... by Mr+Thinly+Sliced · · Score: 5, Interesting

      As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.

      It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.

      At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.

    2. Re:Shocking... by u38cg · · Score: 5, Insightful

      Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

      --
      [FUCK BETA]
    3. Re:Shocking... by nametaken · · Score: 4, Insightful

      Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.

      Evernote seems to have done what you should do in a situation like this.

    4. Re:Shocking... by camperdave · · Score: 4, Funny

      I too have only one password to change. I have over a thousand sites I need to change it on, though.

      --
      When our name is on the back of your car, we're behind you all the way!
  2. Right to be deleted by mescobal · · Score: 5, Insightful

    I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.

    --
    La culpa no es del chancho...
    1. Re:Right to be deleted by bfandreas · · Score: 5, Insightful

      And people still laugh when Germany pushes for laws that require companies to give you a big "FORGET ME NOW" button.

      --
      20 minutes into the future
  3. Re:And Evernote Is? by Scutter · · Score: 4, Insightful

    If you don't know what it is, then you probably don't need to worry that it's been compromised. But if you absolutely must know, then it's literally the first page of hits on Google.

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  4. Re:Control the encryption layer by bfandreas · · Score: 5, Insightful

    The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
    If you work under the assumption cloud == public then you will do no wrong.

    ...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.

    To whoever cracked Evernote:
    Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.

    --
    20 minutes into the future
  5. Re:And Evernote Is? by crashumbc · · Score: 4, Insightful

    It also used to be a "geek" site...

    If you don't know what Evernote is, and if you can't use google, well maybe /. isn't the problem.