Hackers Clip Evernote, Forcing 50M Password Resets
The recent string of security breaches to hit technology companies continued over the weekend, as Website and note-clipping service Evernote announced that someone had accessed usernames and passwords. Companies may now want to consider new methods of making sure users are who they claim to be, including two-factor authentication and better tracking of login attempts.
03/04/13 2:59 PM PT
Evernote, which makes software that lets users copy and store a variety of text and Web pages, announced over the weekend that it had been hacked, forcing the company to ask its 50 million users to reset their passwords.
The company said hackers gained access to usernames, email addresses associated with Evernote accounts, and encrypted passwords. Evernote has no evidence that any of the content users stored in its servers was affected, or that any payment information for its premium and business service customers was accessed.
The hack follows similar security breaches announced recently at Apple and Facebook. The cumulative impact of these incidents may force companies to consider stronger authentication methods other than usernames and passwords.
"There continues to be a real risk [to companies] of employees using free, public cloud solutions like Evernote, which puts an organization at risk for data leaks," Rama Kolappan, director, mobile product marketing and management at Accellion, told TechNewsWorld.
"Companies and users need to realize that security is not a one-size-fits-all situation," Richard Wang, manager of SophosLabs US, told TechNewsWorld. "The appropriate authentication mechanism should depend on the security of the data being protected."
Evernote did not respond to our requests to comment for this story.
How Evernote Responded to the Breach
In addition to posting information on its blog, Evernote is requiring all users to reset their account passwords. Users will also need to enter the new password in other Evernote apps. The company is updating several of its apps to make the password change process easier.
Evernote also urged users to avoid using simple passwords based on words in dictionaries; avoid using the same password on multiple sites or services; and to never click on "reset password" requests in emails. Users should go directly to the service where the password needs to be reset.
However, Evernote contradicted its own advice by including clickable links in the email it sent out to users warning them not to click on password reset requests sent in emails. The company's links take users to a site called "mkt5371" rather than to Evernote's website. "Mkt5371" is a domain owned by Silverpop, an email communications firm Evernote is using to send out emails to its millions of users.
"If a service I used displayed that message, I would assume someone was trying to hack my account," Alex Horan, security strategist at Core Security, told TechNewsWorld. "They should have issued a clear message to show they were on top of the situation and to keep people calm. I agree with the action Evernote took -- resetting everyone's passwords -- but I think they created more confusion by making it seem like the user had issued a password reset."
How Companies Should Protect Users
Firms like Evernote should ensure that users have access to basic privileges, Wang said. This will minimize the damage an attacker can do.
Companies should also implement two-factor authentication where appropriate, especially for remote access from non-company resources.
The two factors should be different types of information, and should not be in the same category. "For example, passwords and security questions are both something you know, and therefore are both subject to similar attacks," Wang said. The two factors could be something a user knows and something the user has -- such as a mobile phone -- or a unique aspect of their identity, such as biometric information.
Multi-factor authentication, ensuring users are connecting from a trusted or corporate device, and monitoring login attempts are ways companies can secure user accounts, Haro said.
"Monitor both login failures -- to detect someone who compromised a user list and is trying to brute-force accounts -- and successes," he noted. "For example, if for the past four years I have logged in from a Boston IP address at around 9 a.m. every weekday morning, and I am suddenly logging in from China on a Sunday, that should be flagged and investigated."
There is no security panacea, Wang added. "As long as there are people on the other side trying to break in, there will never be a completely secure system."