Evernote Security Issue

Published: 2013-03-02
Last Updated: 2013-03-02 18:02:10 UTC
by Scott Fendley (Version: 1)
1 comment(s)

Evernote, a popular app for note taking and archiving, reported that they had a security incident.  As a part of their incident response and operational security monitoring, their staff noted that the compromise had occured and that the attackers were actively attempting to access secured areas of their system.  While they did not have evidence of sensitive data being compromised, user profile data (passwords, email addresses and similar) has likely been.  In response, they are forcing all user credentials to be changed.

From an incident response point of view, I will have to commend Evernote for how they are handling the situation. 

It appears that their security operations was able to detect the incident in a reasonable period of time (within a day).  In addition, their communications/PR arm responded with good initial recommendations in the news article.  And while there is not much technical information yet, they were able to limit some of the questions about how they stored passwords (one way hash with salting).  It is my guess that Evernote has been preparing for the eventuality that a security breach would occur, and prepared all of the appropriate parties to respond.

Protect, Detect, Respond, Recover.  Remember to not just focus on one or two of these within the continuum.

And if you use Evernote, change your credentials soon to limit your personal exposure.



Scott Fendley ISC Handler

1 comment(s)


"Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure" It seems organizations like this are coming forward quicker, I think they've found bad news travels faster than good and the repercussions rarely are good. . Unlike Financial Orgs were there is really not many choices but a mattress, other companies rely on their customers. It is yet another prime example there needs to be a more robust encryption baseline implemented .

Diary Archives