Posted by: Ken Harthun
Password, Secure Computing, Security, Security best practice, Security management
Evernote, the popular note taking program whose goal is “to help the world remember everything, communicate effectively and get things done,” has had their website hacked and is forcing all users to reset their passwords:
Security Notice: Service-wide Password Reset
Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
Good for them that they salt their password hashes and good for them for implementing a password change for all users. Others should follow this example.