Evernote Breach: 7 Security Lessons

  /     /     /  
Publicated : 22/11/2024   Category : security

Evernote Breach: 7 Security Lessons


Both cloud service providers and users should heed the security takeaways from Evernotes breach and response.


Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)
Evernote Sunday informed its 50 million users via email that it had suffered a data breach and suspected that usernames, email addresses and encrypted passwords may have been stolen.
Evernotes Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service, read the Evernote Security Notice: Service-wide Password Reset email sent to users, which was also
posted as a blog
and to the
Evernote Facebook page
. As a precaution to protect your data, we have decided to implement a password reset [for all users].
What lessons can be learned from Evernotes data breach, as well as the companys handing of the incident? Here are seven security takeaways:
1. Detail What Attackers Took.
Kudos to Evernote for broadcasting a security warning -- across multiple channels -- that clearly stated what attackers apparently took, as well as how that data was protected. The investigation has shown ... that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords, stated the companys email to users. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption.
[ For more on the Evernote security breach, see
Evernote Resets Everyones Passwords After Intrusion
. ]
The good news for Evernote users is that the company had
salted and hashed
their passwords --
unlike LinkedIn
, which
only hashed
its passwords, thus making them more susceptible to being brute-force cracked offline and in relatively little time after attackers hacked into LinkedIn last year. While hashing isnt foolproof, it likely bought Evernote -- and its users -- extra time to detect and then respond to the breach.
2. Exercise An Abundance Of Caution.
Evernote opted to expire all passwords rather than attempting to first identify which usernames attackers may or may not have stolen. While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure, it said. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords.
More good news is that no Evernote user content appeared to have been stolen. In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost, read the companys data breach notification. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed, referring to the 4% of Evernotes users -- as of June 2012 -- who are
paying customers
.
3. Lock Down Weak Points.
How did attackers hack into Evernote? The company didnt disclose that information in its email to customers. But since Saturday, the service has released a flurry of application upgrades for its Windows, Mac, Android and iOS clients.
Some users Sunday reported difficulty resetting their passwords after receiving the breach notification, noting that the Evernote website wasnt recognizing their email address. Evernote VP of marketing Andrew Sinkov advised users, via the Evernote help forum, to first upgrade their software. Make sure to update all versions of Evernote that you use, he said in a Sunday post. Weve released a number of updates in the past day. After that, go to
evernote.com
and set your new password.
4. Dont Include Website Links In Password Reset Emails.
Businesses that have had users email addresses stolen face a dilemma: The reset your password emails they send out are often mistaken by users for spam or spear-phishing attacks, because thats so often what they are.
Correctly, Evernotes Sunday email to all of its users does warn them that they should never click a password reset link in an email, but rather browse directly to the site itself. But Graham Cluley, senior technology consultant at Sophos, pointed out that those same emails include password reset links to the Evernote website, by way of third-party domain mkt5371.com.
This was just carelessness on Evernotes part, Cluley said in a
blog post
. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users. The links in this case
do
end up taking you to Evernotes website -- but go silently via Silverpops systems first. Presumably thats so Evernote can track and collect data on how successful the email campaign has been. Still, its not ideal.
5. Users: Prepare To Be Spammed.
The good news for Evernotes users is that attackers dont appear to have stolen any of their content, which is a big concern for a cloud service thats used as a note-taking tool by millions of people. The bad news, however, is that attackers may have what they came for: a list of 50 million working usernames and email addresses. Whats the risk? For starters, they could send
fake password-reset emails
to every Evernote customer.
Expect the attackers to keep the information to hand for future spam campaigns. Indeed, Slashgear
reported
Saturday that some users of Dropbox -- which was
hacked in July 2012
-- have been reporting a sudden influx of spam emails that appear to be from LinkedIn or PayPal, as well as undisguised offers from online gambling sites and casinos. Some users have also reported receiving the spam via email addresses theyve set up solely to receive Dropbox communications. Rather than the spam emails being the result a new hack, however, Dropbox officials told Slashgear that they suspect its just a delayed effect from when the service was hacked. In other words, the Dropbox hackers have kept the stolen email addresses and are using them as they see fit. Evernote users can expect the same to happen to them.
6. Hack Attack Volume Not Diminishing.
Evernote declined to say when it had been hacked. Likewise, its data breach notification email didnt tie its breach to any other specific attacks, noting only that as recent events with other large services have demonstrated, this type of activity is becoming more common. But might the hack of Evernote have been the work of the same attackers who used watering-hole attacks to
hack into Apple, Facebook, Microsoft and Twitter
? The Twitter data breach, which resulted in the compromise of 250,000 accounts, apparently occurred in late January. But tracing the attacks source evidently took more time, as the moderator of the third-party iOS developer site iPhoneDevSDK that was surreptitiously used by attackers to launch drive-by attacks wasnt
informed of the attacks
until February 19. That would have given attackers a lengthy window to infect iOS developers at other businesses -- perhaps including Evernote.
7. Two-Factor Authentication Needed, Please.
What should be done about the increased number of attacks against businesses such as Evernote and Twitter, and the resulting compromise of usernames, emails and passwords? For starters, when it comes to securing users accounts, businesses must
look beyond passwords
. As noted by
InformationWeek
columnist Jonathan Feldman --
Evernote Breach: What It Means To Enterprise IT
-- too few businesses have followed the security example set by game maker Blizzard, which offers its users a $6.50 two-factor authentication token, as well as a two-factor smartphone authenticator. Notably, two-factor authentication would have prevented the Evernote hackers from using any passwords they successfully decrypted. If both Blizzard and Google can do it, whats stopping cloud services such as
Twitter
and Evernote from offering better security to their users? An Evernote spokeswoman didnt immediately respond to an email (sent out of normal working hours) about whether the company was evaluating or planning to roll out two-factor authentication for its users.
Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology.
Register today
!

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Evernote Breach: 7 Security Lessons