Evernote Security Compromised

starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."

Right to be deleted

[mescobal]

I tried to get my account deleted: the say they can't (!!!!). There's an option to "deactivate" my account. We need laws enforcing our right to disappear from a service.

Re:And Evernote Is?

[Scutter]

If you don't know what it is, then you probably don't need to worry that it's been compromised. But if you absolutely must know, then it's literally the first page of hits on Google.

Re:Control the encryption layer

[bfandreas]

The better approach is to cloud only stuff you could as well put in the pub directory of an FTP server.
If you work under the assumption cloud == public then you will do no wrong.

...which makes Truecrypt an exercise in self defeat. I'd rather have my passwords encrypted on my own person instead of on a public directory.

To whoever cracked Evernote:
Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.

Re:Shocking...

[u38cg]

Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah [mkt5371.com]. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...

Re:Right to be deleted

[bfandreas]

And people still laugh when Germany pushes for laws that require companies to give you a big "FORGET ME NOW" button.

Re:Shocking...

[nametaken]

Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.

Evernote seems to have done what you should do in a situation like this.

Re:And Evernote Is?

[crashumbc]

It also used to be a "geek" site...

If you don't know what Evernote is, and if you can't use google, well maybe /. isn't the problem.