Evernote hacked – almost 50 million passwords reset after security breach

EvernoteEvernote, the online note-taking service, has posted an advisory informing its near 50 million users that it has suffered a serious security breach that saw hackers steal usernames, associated email addresses and encrypted passwords.

It’s not clear how the hackers managed to gain access to Evernote’s systems, or how long the hackers had access to Evernote’s account information.

However, in an interview with TechCrunch, Evernote said that they had first noticed suspicious activity on February 28th.

The good news is that no payment details were stolen, and according to the company the hackers were not able to access notes that users had stored on the Evernote service.

Sign up to our free newsletter.
Security news, advice, and tips.

Furthermore, it sounds as though the passwords were encrypted, using hashes and salting to prevent login details falling into the wrong hands. (It would be reassuring – of course – to have more details shared by Evernote of how the passwords were hashed and salted).

Evernote advisory

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

What’s not good news is that the hackers now have access to the usernames and email addresses of Evernote customers. It is easy to imagine how this information could be abused – for instance, the hackers could send out spam emails to those users claiming to come from Evernote, and trick them into visiting a malicious website.

And, of course, it’s another cautionary tale about the risks which can exist with trusting the cloud to look after your personal information. Evernote sounds to me like it’s another online service that would benefit from providing its users with additional account security – such as two factor authentication.

Evernote advises users to choose a strong password, and to be suspicious of reset password links sent to users via email. Furthermore, everyone should ensure that they are not using the same password on multiple sites.

Evernote appears to have acted reasonably rapidly in response to this security incident, and it will be interesting to see if they share any more information about how the hack might have occurred in the coming days.

Further reading: Evernote shoots itself in foot over “never click on ‘reset password’ requests” advice

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.