Evernote note service hacked – password reset mails worry users
Over the weekend, Evernote, the makers of the cross-platform, synchronised note capture and management system of the same name, found and blocked suspicious activity on the company network. The company has over 50 million users and says the hack was a "coordinated attempt to access secure areas of the Evernote Service", but although it says it has no evidence that Evernote content or payment information was accessed, it does admit that the attackers got hold of usernames, email addresses and passwords.
Further details of the attack, such as how the attackers got access, were not given, though the announcement mentions: "as recent events with other large services have demonstrated, this type of activity is becoming more common", which may suggest that the attack was connected to the watering-hole attack in January where Java 0day exploits were used to gain access to Facebook, Apple, Microsoft and Twitter.
Initially, the company required that users sign in to the web site to update their password, with users of its mobile applications being blocked from logging in. It has, though, begun shipping out updates to its mobile device applications to make it possible to respond to the forced password update from the apps.
Although the company feels its hashed and salted passwords are "robust", it issued a password reset to all users of Evernote, sending out email to all users. Unfortunately, the Evernote emails were a potential gift for phishers as the click-through links in the email sent users to "http://links.evernote.mkt5371.com/", rather than directly to Evernote. The address belongs to a company called Silverpop which does email marketing and user tracking, but with an event as major as a system-wide password reset, users need to be able to validate the links they are being sent by the company.
Sending out emails with a throw-away domain in the links doesn't help users adopt secure behaviour as it becomes harder to distinguish between a legitimate email and a phisher's email with the phisher's own throwaway domains. Evernote themselves say "Never click on 'reset password' requests in emails — instead go directly to the service", but then send out mails with the company's domain name linking to a third party service. According to Evernote's Andrew Sinkov, "When we realized that the links were making users uncomfortable, we paused the mailing and stripped them out."
The incident has also brought previous issues with Evernote security to the fore, with some users complaining that Evernote's RC2-based content encryption was chosen for exportability rather than security and that the two-factor authentication that has been promised over the past year has not yet been implemented.