Geek News: Latest Technology, Product Reviews, Gadgets and Tech Podcast News for Geeks

Evernote User Passwords have been Compromised

Posted by JenThorpe at 8:55 PM on March 6, 2013

Evernote logoUsers of Evernote were recently sent an email that said that the company had decided to implement a password reset. It required 50 million users to reset their passwords. Why? The answer is the usual one when a company urges users to change their passwords – Evernote got hacked over the weekend.

This explains the difficulties that my husband and I had when we went grocery shopping. He uses Evernote to create grocery lists (instead of writing it down on paper). Usually, this works really well. However, when we got to the store and he tried to open Evernote, it wasn’t functioning as he expected it to. Oh, no! Could hackers be reading our grocery lists? If so, then they must be awfully bored.

The email Evernote sent to its users says:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

It goes on to say that this is the reason why they are implementing a password reset. So, if you opened Evernote today, and wondered why it was asking you to reset your password, now you know. Evernote says that they have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed. It also says:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted).

There are helpful suggestions on the Evernote website (where the email it sent to users was posted) that give advice about how to create a more secure password. It also points out that you should not click on “reset password” requests in emails, and should instead go directly to the service itself to do that.