Evernote discloses password breach, while critics bemoan its use of crackable crypto

Share this article:
Evernote discloses password breach, while critics bemoan its use of crackable crypto
Evernote discloses password breach, while critics bemoan its use of crackable crypto

Popular notetaking software service Evernote has reset the passwords for all of its users following a network breach.

The company advised its 50 million users on Saturday that it "detected and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas" of its service. It didn't find any indication that content or payment information was compromised, but the intruders did access usernames, email addresses and encrypted passwords of users.

As a result, it reset users' passwords and forced them to create new ones. Evernote also offers its service via apps for devices running operating systems such as Windows Mobile, iOS and Android.

"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure," CTO Dave Engberg wrote. "This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

The breach is reminiscent of a string of incidents last spring when the credentials belonging to LinkedIn, Yahoo, eHarmony, Formspring and Billabong members were accessed by hackers. In many of these cases, the passwords are encrypted, but they are easily cracked using commonly available tools requiring minimal time and investment.

Evernote reportedly uses MD-5, a cryptographic hash function that has been known for years to be vulnerable.

Troy Hunt, a software architect and Microsoft MVP, suggested in a blog post he wrote over the weekend that websites such as Evernote should be required to disclose to their users what types of mechanisms they use to protect passwords.

"I propose that websites should be required to disclose their password storage mechanism," Hunt wrote. "The disclosure would sit right next to the point where the password is provided for persistent storage, namely on the registration and password change pages."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.