Slashdot Mirror

← Back to Stories (view on slashdot.org)

Evernote Security Compromised

Posted by Soulskill on from the 12345-to-123456 dept.

starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."

5 of 104 comments (clear)

  1. Right to be deleted by mescobal · · Score: 5, Insightful

    I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.

    --
    La culpa no es del chancho...
    1. Re:Right to be deleted by bfandreas · · Score: 5, Insightful

      And people still laugh when Germany pushes for laws that require companies to give you a big "FORGET ME NOW" button.

      --
      20 minutes into the future
  2. Re:Shocking... by Mr+Thinly+Sliced · · Score: 5, Interesting

    As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.

    It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.

    At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.

  3. Re:Control the encryption layer by bfandreas · · Score: 5, Insightful

    The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
    If you work under the assumption cloud == public then you will do no wrong.

    ...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.

    To whoever cracked Evernote:
    Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.

    --
    20 minutes into the future
  4. Re:Shocking... by u38cg · · Score: 5, Insightful

    Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

    --
    [FUCK BETA]