Evernote joins the notably hackable club
Password reset, so sorry, no customer data at risk
Evernote has joined the growing list of companies whose cloud-based services have suffered a serious security breach, announcing over the weekend that it had implemented a service-wide password reset after attackers accessed user information.
Happily, the company's announcement notes, the passwords accessed were salted hashes, which should mean they last longer than the passwords lifted from the Australian Broadcasting Corporation recently.
The user information accessed by the attackers also included user Ids and e-mail addresses.
All Evernote users were required to reset their passwords in case the attackers are able to recover passwords from the salted hashed list. The password reset will apply not only to Evernote logins, but to all apps that users have given access to their Evernote accounts.
Other major names to be hit in recent attacks include Apple, Facebook, Twitter and Microsoft, with a Java zero-day behind most of the vulnerabilities.
The company says the attack “appears to have been a coordinated attempt to access secure areas of the Evernote Service”.
The usual suggestion, that users choose strong passwords that they don't re-use, will no doubt be ignored by a small-but-significant number of Evernote's customers. ®
Are you doing an Eadon on Macs or something? How is this even remotely relevant?
Anyone with half a working braincell will use decent security (and virus checking) on their Mac because statements from marketing people mean exactly nothing, and I have as yet to come across a system that didn't became vulnerable if you got behind on patching. For example, Apple has been patching the evil brew from Oracle called Java twice in a row, and using products from Adobe and Microsoft have also been found to introduce risks for which patches have been issued.
Furthermore, gaining access to that depth of production data from a desktop would raise a lot more questions that just which platform was compromised.
So, did you fail to catch up with the real world, or are you a non Mac user sniping from the sidelines?
Getting hacked does not look good but : -
They came clean quickly
They stored passwords as salted hashes (with what I hope would be individual salt for each password)
They got their users to reset passwords
Other organistaions have handled the same situation far worse.
Re: PASSWORD RESET: Dumping the burden on users' shoulders
"It will certainly be ignored by many, who will perhaps keep grumbling indefinitely without seriously thinking about the practicable alternative to alphanumeric passwords."
What alternative are you speaking of there? As much as you and I may like the idea of a long string the fact is that the vast majority of sites won't allow longer than about 16 characters. A great deal of those sites will also restrict you to alphanumeric while rejecting all others. You can only blame users for so long before you have to look at the sites and what they allow.