Evernote discloses password breach, while critics bemoan its use of crackable crypto

Share this article:
Evernote discloses password breach, while critics bemoan its use of crackable crypto
Evernote discloses password breach, while critics bemoan its use of crackable crypto

Popular notetaking software service Evernote has reset the passwords for all of its users following a network breach.

The company advised its 50 million users on Saturday that it "detected and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas" of its service. It didn't find any indication that content or payment information was compromised, but the intruders did access usernames, email addresses and encrypted passwords of users.

As a result, it reset users' passwords and forced them to create new ones. Evernote also offers its service via apps for devices running operating systems such as Windows Mobile, iOS and Android.

"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure," CTO Dave Engberg wrote. "This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

The breach is reminiscent of a string of incidents last spring when the credentials belonging to LinkedIn, Yahoo, eHarmony, Formspring and Billabong members were accessed by hackers. In many of these cases, the passwords are encrypted, but they are easily cracked using commonly available tools requiring minimal time and investment.

Evernote reportedly uses MD-5, a cryptographic hash function that has been known for years to be vulnerable.

Troy Hunt, a software architect and Microsoft MVP, suggested in a blog post he wrote over the weekend that websites such as Evernote should be required to disclose to their users what types of mechanisms they use to protect passwords.

"I propose that websites should be required to disclose their password storage mechanism," Hunt wrote. "The disclosure would sit right next to the point where the password is provided for persistent storage, namely on the registration and password change pages."

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.