Forgot your password?
typodupeerror
Cloud Security IT

Evernote Security Compromised 104

Posted by Soulskill
from the 12345-to-123456 dept.
starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."
This discussion has been archived. No new comments can be posted.

Evernote Security Compromised

Comments Filter:
  • Shocking... (Score:3, Interesting)

    by ohzero (525786) <onemillioninchange&yahoo,com> on Saturday March 02, 2013 @06:02PM (#43056447) Homepage Journal
    One more trendy company that didn't have a security program gets compromised. It's almost as if ignoring the problem doesn't make it go away. Pentest, code review, remediate, and test some more. Or, you know, lose brand value...that's the other option.
    • by Anonymous Coward

      They took the time to properly salt and hash the passwords. I'm grateful to have that much security.

    • Re:Shocking... (Score:5, Interesting)

      by Mr Thinly Sliced (73041) on Saturday March 02, 2013 @06:10PM (#43056497) Homepage Journal

      As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.

      It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.

      At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.

      • Re:Shocking... (Score:5, Insightful)

        by u38cg (607297) <calum@callingthetune.co.uk> on Saturday March 02, 2013 @06:31PM (#43056643) Homepage
        Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah [mkt5371.com]. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...
        • Came here to post this exact thing. They REALLY screwed up the notification email.

          • by Snotnose (212196)

            I never got notification email. I also can't log in with any password, now that it's hit /. I know to hit their site for a heads up.

            Evernote has my weakest throwaway passwords, and the only thing I use it for is grocery lists. Not too worried about this one.

          • by deniable (76198)
            What notification email? Devices started having sync errors and I got a weird password prompt on the desktop. I assumed they'd nuked my account and went to the website. There's a link "If you received a password reset notification..." but you have to go to the blog for an explanation.
        • by icebike (68054)

          Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah [mkt5371.com]. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

          Yeah, I expect they had so many to notify they had to use a service, but if so why leave a link in the email?

          I never even got notified by email, or if I did it was so spammy it got trapped and I'm too lazy to look.

          My android app got an update, and the reason for the update was a security announcement. So I installed it, and it insisted I much change passwords, and took me to the web page to do so.

        • by Seumas (6865)

          At least you got an email. I woke up this afternoon and I couldn't access Evernote on my ipad. So I tried my laptop, desktop, then web interface. I assumed I had screwed up my password somehow. Eventually, it stopped giving me an error and gave me a "reset your password" warning, instead. So I did. I've checked my email and though I've received advertising from Evernote on January 15th and then February 9th, 25th, and 26th -- I've received nothing regarding a breach or password reset (and I'm also a premium

        • Wait, wait, wait.... What's to keep hackers from spamming the world with the same exact email, but with the link pointing to their site? From there they collect your current password. With email clients showing the most recent emails first, the re-sent hacker phising email can appear before the one authorized by Evernote.
      • Re:Shocking... (Score:5, Insightful)

        by nametaken (610866) on Saturday March 02, 2013 @06:39PM (#43056707)

        Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.

        Evernote seems to have done what you should do in a situation like this.

        • by Seumas (6865)

          The more concerning thing is that, as I understand it, your data is not encrypted on Evernote. By design, presumably, so they can index and perform OCR and searches and other things on your data. If they can breach the server with user credentials, why couldn't they breach the servers containing your actual documents and everything?

        • by Xest (935314)

          It's a question of who they get broken into by though.

          For example, Google has been hacked sure, but it's been by state actors (China) who don't give a shit about leaking everyone's personal and credit card details but are more interested in information and espionage.

          No company should be allowing themselves to get hacked by a bunch of script kiddies though who do lose your details left and right like Sony was.

          Further, I'm not even sure your assertion that everyone gets broken into eventually is true. In the

          • I can think of a number of companies such as banks that have simply never been hacked

            Having worked for a couple of banks in my time and had the ear of some of the security chiefs, I can tell you that it does happen. Unless it's a particularly visible breach (multiple account details stolen, loss of funds with transfers), very little of it makes it to the media. For obvious reasons.

            I can think of a number of companies such as banks that have simply never been hacked, but even outside of that has Amazon ever been hacked?

            What makes you think you'd hear about it if happened? Most companies will only hold up their hands and admit problems when the evidence is undeniable. See Sony.

            • by Xest (935314)

              A breach with only an account or two stolen makes no sense. It's more likely explained by the account holder themselves. Either the hacker managed to get access to banking details or they didn't, it really makes no sense that they broke in but only got one set of details.

              Which is precisely why we'd hear about it - when somewhere is really actually hacked, the fallout is big enough that it can't stay hidden.

              • A breach with only an account or two stolen makes no sense.

                I'm afraid the real world has a few more shades of grey than hacked or not hacked.

                The bad guys get caught with varying levels of "in" in the DMZ. High value single account targets are of interest to the bad guys too. A shotgun approach of attack can set off alarm bells where a surgical strike can go unnoticed for a bit longer.

                Banks in particular have improved over the last few years with two factor auth and dropping the "smart client" (java / flash) mess, but the bad guys are just as inventive - social engi

                • by Xest (935314)

                  Yes, I understand people can penetrate to different levels of a network, but what is black or white is whether they penetrated and got anything of value or not.

                  The fact is, you don't penetrate deep enough into a bank to get information of value and then only get one account's details, it just makes no sense.

                  If anyone has breached deep enough to be of any real matter or value, we'd hear about it, that's the point.

                  If you're going to risk hacking into a bank, you're going to come out with something of value wh

      • I have to agree. You can't build a system that isn't ever going to be hacked. You can build a system using the best available practices that is very difficult to hack and put the most effective system possible in place to detect hacking attempts as early as possible. To a large extent, it seems that they did a respectable job in both respects. I'm sure that they can make improvements and will learn lessons from this. They are a well capitalized company and it is absolutely vital that they maintain credibili

      • by thsths (31372)

        > with the best will in the world you're always just one mistake away from letting the bad guys in.

        Not at all. With a bad security model you are only one step away from being owned. If you have a proper security model, you have several layers, and just a single one. So there should be no single point of failure. Combine this with decent testing etc, and you have a reasonable amount of security.

    • by Seumas (6865)

      I don't think being trendy has anything to do with it. It simply is another piece of evidence that demonstrates an industry-wide problem of security seeming to be very nebulous. Apple, Microsoft, Sony, Valve, Facebook, Twitter, EA, Pinterest, Tumblr, LastPass, NYT, Evernote, and countless other places in the last couple of years (800 breaches of business, government, and medical institutions in just the past year according to privacyrights.org). Hell, wasn't kernel.org even compromised in the past year?

      It s

    • by leaen (987954)
      Well it is movie plot plan. Hacker A: gets access to evernote Hacker B: Look these passwords are hashed and salted Hacker A: Never mind. We issue password reset and send passwords to evil.com
  • So that the government and whoever else wants to see your data has 24 hour access to it.
    • by Seumas (6865)

      Because your home system with a standard consumer router is so secure and impenetrable and the same government that could demand direct access to a full live stream of cloud data couldn't demand the major OS developers include a backdoor to them and access your home machine.

  • by worip (1463581) on Saturday March 02, 2013 @06:07PM (#43056481)
    If you use a cloud service, use a layer of encryption that is under your control, e.g. truecrypt with dropbox. Problem is that is usually breaks the service. A possible alternative is to build your own cloud with OwnCloud. Note though that nothing as good as Evernote is yet available as a private server.
    • by heypete (60671)

      The last I checked with Owncloud (~2-3 months ago), their system would update the entire encrypted file rather than just the parts that changed. This might work for a relatively small TrueCrypt file but it becomes impractical if you have a large file. Dropbox updates only the changed parts, which is handy.

    • by bfandreas (603438) on Saturday March 02, 2013 @06:23PM (#43056595)
      The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
      If you work under the assumption cloud == public then you will do no wrong.

      ...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.

      To whoever cracked Evernote:
      Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.
      • by AmiMoJo (196126) *

        It isn't access to your Evernote account you should be worried about, it is access to all the other accounts you used the same email address, user name and password for. Okay, from the sound if it you probably don't do that, but the majority of people do.

        Resetting all Evernote passwords isn't going to help them much. If their email account is vulnerable then they are pretty much screwed, because everything else seems to rely on being able to send password reset messages to that account and assumes it is sec

        • by bfandreas (603438)
          I use the same (throwaway) email account and password for all my low priority accounts. If they get owned have fun with my trivialities.
          I do use a password generator and a keystore for my important things, tho.

          If His Flying Noodlyness hadn't intended us to use throwaway email accounts for throwaway online services he wouldn't have given us Hotmail.
  • by mescobal (1516701) on Saturday March 02, 2013 @06:09PM (#43056491) Homepage
    I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.
    • by Anonymous Coward

      You don't even have a right to self-terminate. What makes you think you have a right to delete your account?

    • by Anonymous Coward

      Your right to disappear from a service is already granted. The caveat is that it is nullified when you sign up. If you don't want to have troubles deactivating accounts, don't create them.

      You're borrowing their hardware, they're borrowing your content. They want you to come back, and they want you to sign up your friends for the service. This is the carrot, this is the stick.

      If your content is never deleted it also makes account reactivations and complying with court orders a breeze.

      • What the fuck are you talking about, you dumb fuck?

        Evernote Premium users pay $40 per year. I'm not borrowing anything.

    • by Threni (635302)

      I just deleted my account, and had to reset my password first - no problem.

    • by bfandreas (603438) on Saturday March 02, 2013 @06:37PM (#43056693)
      And people still laugh when Germany pushes for laws that require companies to give you a big "FORGET ME NOW" button.
      • This

      • by antdude (79039)

        Even if that does happen, wouldn't companies still have back ups?

        • by bfandreas (603438)
          So? If your data is deleted that will eventually propagate through all backups.
          That's a lousy reason and a lame excuse not to offer the big "DELETE PLX" button.
          And by deleted I mean deleted. Not flagged as deleted.
    • by icebike (68054)

      So go in, delete everything you've entered, then empty the trash and deactivate your account.

      Like everybody else, they probably have off-line backup, and your account may dwell on some
      tape media somewhere until that cycles out of existence.

      Good luck getting something like that passed into law, since it runs directly contrary to what your government (every government) wants.

    • by Rakishi (759894)

      And if someone hacks your account and deletes it you'll be yelling at them to restore everything you had there.

  • With the passwords being salted and hashed, they are not easy to brute force. This means for any user who has chosen a reasonably strong password in the first place, a leak of the hashed password is not an issue at all. Those users could go on using the same password without being exposed to any additional risk. So why force them to change their strong password to something else?

    I am all for them going public with what they found. But sometimes you really need to have enough confidence in your own protec
    • by gottabeme (590848)

      Yes, thank you for saying this. I'm so sick of forced password resets. I can't remember all the passwords I use, and for some sites that I might actually need to remember them for, having to make a new one means I no longer remember the password for that site! It means I'm more likely to choose a weak password which is easier to remember and easier to crack.

      Thus my theory that forced password resets actually decrease security.

    • by si618 (263300)

      With the passwords being salted and hashed, they are not easy to brute force. This means for any user who has chosen a reasonably strong password in the first place, a leak of the hashed password is not an issue at all. Those users could go on using the same password without being exposed to any additional risk. So why force them to change their strong password to something else?

      My guess would be the salt was either not unique per account, or was part of the compromised data. Either way it would make it (somewhat) easier to brute-force.

      • by kasperd (592156)

        My guess would be the salt was either not unique per account

        There is only one salt per account, so of course it is unique per account. But that is probably not what you meant. Could it be that the salt is not unique? It could be, but once you are doing any salting in the first place, it is trivial to make it unique. All you have to do is let the salt be a sufficiently long string of random characters, and the probability of collisions will be negligible.

        or was part of the compromised data.

        Salts are stored t

        • by si618 (263300)

          There is only one salt per account, so of course it is unique per account. But that is probably not what you meant.

          No, it is exactly what I meant. How do you know the salt is unique? Did you write the code? It's easier to use the same salt for every account rather than making it unique, since it can be hard-coded and doesn't need to be persisted with the hash.

          See here [crackstation.net] for a more thorough explanation.

          But don't worry. Salts are designed such that they don't need to be kept secret.

          Of course, but as I said, if you're using the same salt for all your hashes then it becomes less secure.

          • by kasperd (592156)

            No, it is exactly what I meant. How do you know the salt is unique?

            I did not say that I know the salt is unique. I said the salt is unique per account, which is a tautology because there is only one salt per account.

            as I said, if you're using the same salt for all your hashes then it becomes less secure.

            Of course. If you are using the same salt for every account, you are not salting at all. You'd be reducing the salted hash down to simply an unsalted but non-standard hash function. That would not require mu

  • So the attackers were able to get what sounds like direct access to the user database, or best case a backup copy, and yet we're expected to believe that the attackers couldn't gain access to the content database? (assuming it's even a different database) Or at least crack some really weak passwords within the two days before this was reported to users?

    In this kind of attack, the baddies are after the content. The user accounts themselves are mostly worthless -- can't really use them for spam or phishing. B

  • by czth (454384)

    I considered using EverNote at one point, but my concern was offline availability (for personal use on my laptop) and security (for use at work). I didn't think management would be happy with me storing proprietary/confidential data on someone else's remote server, so I stuck with OneNote. (I also didn't realistically think they'd get broken into, to be honest, just thought it would be frowned upon. Sometimes paranoia works for you.)

    I have looked into several open source alternate note-taking programs, but

    • by Tool Man (9826)

      While formatting options make something like EverNote look interesting, I haven't yet found a must-have feature for me that negates the loss of control I feel over my info. I do like Pinboard for bookmarks, which I don't really treat as private, but most of the rest ends up in plain-text files that I can read anywhere. Combined with an encrypted file sync service like Wuala or SpiderOak, I feel 90% of the way there. I might end up adding Tiddlywiki in the same sync folders for items which need a bit more fo

"Floggings will continue until morale improves." -- anonymous flyer being distributed at Exxon USA

Working...