Cloud notetaking service Evernote has been hacked, the company has revealed today, with an unidentified attacker compromising servers and extracting usernames, email addresses, and encrypted passwords. The attack has forced a mandatory password reset, meaning all users must change their password before they can log back into their account, but Evernote says there is no evidence of either notes being viewed by a third-party, or payment details of Evernote Premium or Business users being accessed.
Evernote has begun to notify all users by email of the breach, though the company is confident that data itself is safe. "The passwords stored by Evernote are protected by one-way encryption" Evernote said, "in technical terms, they are hashed and salted."
"On February 28th, the Evernote Operations & Security team became aware of unusual and potentially malicious activity on the Evernote service that warranted a deeper look. We discovered that a person or persons had gained access to usernames, email addresses and encrypted user passwords. In our ongoing analysis, we have found no evidence that there has been unauthorized access to the contents of any user account or to any payment information of Evernote Premium and Evernote Business customers" Evernote spokesperson
Exactly how the hack took place has not been revealed, though Evernote says its Operations & Security team is still investigating. However, it's believed to be "a coordinated attempt" to steal, change, or delete user-data.
Evernote insists that its "password encryption measures are robust" but says also that it is "taking additional steps" to bolster security, of which forcing a password change is part of it. The company also suggests people choose more complex passwords, avoiding dictionary words, and don't use the same password across multiple sites or services.