Evernote discloses password breach, while critics bemoan its use of crackable crypto

Share this article:
Evernote discloses password breach, while critics bemoan its use of crackable crypto
Evernote discloses password breach, while critics bemoan its use of crackable crypto

Popular notetaking software service Evernote has reset the passwords for all of its users following a network breach.

The company advised its 50 million users on Saturday that it "detected and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas" of its service. It didn't find any indication that content or payment information was compromised, but the intruders did access usernames, email addresses and encrypted passwords of users.

As a result, it reset users' passwords and forced them to create new ones. Evernote also offers its service via apps for devices running operating systems such as Windows Mobile, iOS and Android.

"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure," CTO Dave Engberg wrote. "This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

The breach is reminiscent of a string of incidents last spring when the credentials belonging to LinkedIn, Yahoo, eHarmony, Formspring and Billabong members were accessed by hackers. In many of these cases, the passwords are encrypted, but they are easily cracked using commonly available tools requiring minimal time and investment.

Evernote reportedly uses MD-5, a cryptographic hash function that has been known for years to be vulnerable.

Troy Hunt, a software architect and Microsoft MVP, suggested in a blog post he wrote over the weekend that websites such as Evernote should be required to disclose to their users what types of mechanisms they use to protect passwords.

"I propose that websites should be required to disclose their password storage mechanism," Hunt wrote. "The disclosure would sit right next to the point where the password is provided for persistent storage, namely on the registration and password change pages."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

EPIC files complaint with FTC against Maricopa

The nonprofit organization alleges that the Maricopa County Community College District violated the FTC's "Safeguards Rule."

RSA fraud report examines August phishing trends

Phishing is down 22 percent from July to August, but U.S. banks experienced an increase in phishing volume.

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.