Evernote Hacked

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

It might be easier to list the major sites that haven’t been hacked at this point.

It looks as if Evernote were using best practice in hashing and salting passwords, which is good news.  Any service that isn’t doing that needs to take a very close look at itself.

I maintain that services such as Evernote, of which I’ve been a user since its beta days and a long-term “Premium” user, can only secure their data in two ways.  The first is to assume that someone already has access.  So ensure that sensitive data is encrypted as strongly as reasonably possible (hashing using the most common algorithms is no longer sufficient given the depth and breadth of rainbow tables available, salting is a must), decouple data as much as possible and store only what is absolutely necessary.  The other thing companies must do is to have robust monitoring in place to detect when an attack actually does happen and partner it with a suitable response (which must be honest and open when dealing with customers).

I hope this doesn’t hurt Evernote too badly, it’s an excellent service that I regularly recommend to people.

via Evernote Blog | Security Notice: Service-wide Password Reset.