Slashdot Mirror
Evernote Security Compromised
starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."
I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.
La culpa no es del chancho...
As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.
It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.
At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.
If you don't know what it is, then you probably don't need to worry that it's been compromised. But if you absolutely must know, then it's literally the first page of hits on Google.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.
If you work under the assumption cloud == public then you will do no wrong.
To whoever cracked Evernote:
Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.
20 minutes into the future
Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...
[FUCK BETA]
Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.
Evernote seems to have done what you should do in a situation like this.
It also used to be a "geek" site...
If you don't know what Evernote is, and if you can't use google, well maybe /. isn't the problem.
I too have only one password to change. I have over a thousand sites I need to change it on, though.
When our name is on the back of your car, we're behind you all the way!