Evernote discloses password breach, while critics bemoan its use of crackable crypto

Share this article:
Evernote discloses password breach, while critics bemoan its use of crackable crypto
Evernote discloses password breach, while critics bemoan its use of crackable crypto

Popular notetaking software service Evernote has reset the passwords for all of its users following a network breach.

The company advised its 50 million users on Saturday that it "detected and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas" of its service. It didn't find any indication that content or payment information was compromised, but the intruders did access usernames, email addresses and encrypted passwords of users.

As a result, it reset users' passwords and forced them to create new ones. Evernote also offers its service via apps for devices running operating systems such as Windows Mobile, iOS and Android.

"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure," CTO Dave Engberg wrote. "This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

The breach is reminiscent of a string of incidents last spring when the credentials belonging to LinkedIn, Yahoo, eHarmony, Formspring and Billabong members were accessed by hackers. In many of these cases, the passwords are encrypted, but they are easily cracked using commonly available tools requiring minimal time and investment.

Evernote reportedly uses MD-5, a cryptographic hash function that has been known for years to be vulnerable.

Troy Hunt, a software architect and Microsoft MVP, suggested in a blog post he wrote over the weekend that websites such as Evernote should be required to disclose to their users what types of mechanisms they use to protect passwords.

"I propose that websites should be required to disclose their password storage mechanism," Hunt wrote. "The disclosure would sit right next to the point where the password is provided for persistent storage, namely on the registration and password change pages."

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.