Evernote Resets All Passwords Following A Security Breach

Max ‘Beast from the East’ Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope.

If you find him looking lost on the streets of London, feed him coffee and sugar.

Follow on: Google +

50 million accounts need new passwords, but Evernote says no content had been compromised

Evernote, the developer of popular note-taking and organisation software, found suspicious activity in its networks over the weekend, prompting it to reset passwords for 50 million users.

The company says that the measure is merely a precaution, as it found no evidence of hackers accessing private user content or payment details.

Better safe than sorry

On Saturday, Evernote initiated a “service-wide password reset”, after the security team discovered a “coordinated attempt to access secure areas of the Evernote Service”.

LichtmeisterAn investigation launched by the company soon discovered that an unidentified party was able to gain access to account information stored on the platform, such as user names, emails and encrypted passwords.

It is unlikely the attackers will be able to use the stolen data, since Evernote, abiding by good security practices, ‘hashed’ and ‘salted’ its passwords.

“While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords,” explained the company on its blog.

Evernote said that it will update a range of apps in order to make the process of changing passwords easier. In an email, it also advised users on how to make their new passwords more secure.

“Avoid using simple passwords based on dictionary words, never use the same password on multiple sites or services and never click on ‘reset password’ requests in emails — instead go directly to the service,” suggests Evernote.

Last year, an attacker had stolen 6.5 million passwords from LinkedIn and published them online, with the social network claiming losses between $500,000 and $1 million due to the breach. LinkedIn was heavily criticised by security professionals, since the passwords weren’t ‘salted’ and could be easily decrypted.

Yahoo and Tesco are some of the other companies that were singled out last year for not encrypting their passwords and thus ignoring basic security rules.

“As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content,” said the company.

How well do you know Internet security? Try our quiz and find out!