Evernote, which makes software that lets users copy and store a variety of text and Web pages, announced over the weekend that it had been hacked, forcing the company to ask its 50 million users to reset their passwords.
The company said hackers gained access to usernames, email addresses associated with Evernote accounts, and encrypted passwords. Evernote has no evidence that any of the content users stored in its servers was affected, or that any payment information for its premium and business service customers was accessed.
The hack follows similar security breaches announced recently at Apple and Facebook. The cumulative impact of these incidents may force companies to consider stronger authentication methods other than usernames and passwords.
"There continues to be a real risk [to companies] of employees using free, public cloud solutions like Evernote, which puts an organization at risk for data leaks," Rama Kolappan, director, mobile product marketing and management at Accellion, told TechNewsWorld.
"Companies and users need to realize that security is not a one-size-fits-all situation," Richard Wang, manager of SophosLabs US, told TechNewsWorld. "The appropriate authentication mechanism should depend on the security of the data being protected."
Evernote did not respond to our requests to comment for this story.
How Evernote Responded to the Breach
In addition to posting information on its blog, Evernote is requiring all users to reset their account passwords. Users will also need to enter the new password in other Evernote apps. The company is updating several of its apps to make the password change process easier.
Evernote also urged users to avoid using simple passwords based on words in dictionaries; avoid using the same password on multiple sites or services; and to never click on "reset password" requests in emails. Users should go directly to the service where the password needs to be reset.
However, Evernote contradicted its own advice by including clickable links in the email it sent out to users warning them not to click on password reset requests sent in emails. The company's links take users to a site called "mkt5371" rather than to Evernote's website. "Mkt5371" is a domain owned by Silverpop, an email communications firm Evernote is using to send out emails to its millions of users.
"If a service I used displayed that message, I would assume someone was trying to hack my account," Alex Horan, security strategist at Core Security, told TechNewsWorld. "They should have issued a clear message to show they were on top of the situation and to keep people calm. I agree with the action Evernote took -- resetting everyone's passwords -- but I think they created more confusion by making it seem like the user had issued a password reset."
(ect)
Evernote also urged users to avoid using simple passwords based on words in dictionaries; avoid using the same password on multiple sites or services; and to never click on "reset password" requests in emails. Users should go directly to the service where the password needs to be reset.
However, Evernote contradicted its own advice by including clickable links in the email it sent out to users warning them not to click on password reset requests sent in emails. The company's links take users to a site called "mkt5371" rather than to Evernote's website. "Mkt5371" is a domain owned by Silverpop, an email communications firm Evernote is using to send out emails to its millions of users.
"If a service I used displayed that message, I would assume someone was trying to hack my account," Alex Horan, security strategist at Core Security, told TechNewsWorld. "They should have issued a clear message to show they were on top of the situation and to keep people calm. I agree with the action Evernote took -- resetting everyone's passwords -- but I think they created more confusion by making it seem like the user had issued a password reset."
(ect)
No comments:
Post a Comment