Online Service Hacked

Monday, March 4, 2013 @ 07:03 PM gHale

An online service that enables users to store and sync all kinds of data across multiple devices, Evernote, suffered an attack.

Attackers compromised user information, including email addresses and hashed passwords, Evernote officials said.

Poughkeepsie, NY, Utility Hacked
Malware on Oil Rigs
FL Utility Suffers DDoS
Hacks Hit Big Firms
Data Breaches Take Months to Find

Evernote officials said they did not think the attackers were able to gain access to any of the data that users store on the service. However, the company said it was requiring that all users change their passwords immediately.

“In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed,” Dave Engberg, the Evernote CTO, said in a blog post.

“The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption.”

Although the company does not say what hash algorithm it uses to protect passwords, it uses 64-bit RC2 to encrypt data within users’ notes.

“For Evernote’s consumer product, the current encryption algorithms are chosen more for exportability under the Commerce Department rather than strength, since our software permits the encryption of arbitrary user data with no escrow,” Evernote said.

Evernote users have the ability to store just about any kind of data on the service, including text, video and other information. Users can encrypt data within specific notes, and the company doesn’t have a copy of users’ keys, so if the passphrase if lost or compromised, there’s no way for the company to recover that data.

Evernote sent all of its users an email detailing the incident and informing them they need to change their passwords before logging in the next time.

Leave a Reply

You must be logged in to post a comment.