Evernote’s official discussion forum has suffered a security breach, which has allowed hackers to access user’s profile information and (in some cases) password hashes.
The announcement of the security incident was made by Geoff Barry, a community manager at Evernote:
Important information regarding your discussion forum account
(Users impacted by this announcement will have received an email)
The vendor that operates https://discussion.evernote.com has notified us that they had been hacked. The hacker was able to retrieve our forum members’ profile information. We don’t believe that the hacker accessed any private forum messages.
Our forum is a completely separate service from the Evernote Service. The Evernote Service was not affected and your notes are still secure. We do not store your Evernote password on our discussion forum servers and you do not need to change it.
If you created an account on our old forum in 2011 or earlier, then the hash of the password you used at that time was taken as part of this incident. If you use that same password on other services today, please update it. For all other forum members, only your email address and birthday, if you provided one, were taken.
We are sending email notifications to all affected forum users detailing what was exposed.
Of course, it’s very possible that those users whose passwords have been put at risk could be using those same passwords elsewhere on the net. Perhaps even on the main Evernote service itself.
It’s never a good idea to reuse passwords, or to use passwords that can be easily cracked – such as dictionary words, or the names of your family members or pets.
Make sure that all of your passwords are unique, and hard to guess or crack.
If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack or key logger) and then hackers using it to unlock your other online accounts.
Evernote is keen to underline that its main servers were not compromised by the hackers, and that it was only their discussion forum that suffered from the security breach.
That doesn’t mean, of course, that Evernote hasn’t fallen foul of hackers in the past.
Just last week Evernote was hit by a denial-of-service attack, that disrupted access for many users around the world for some hours. But more seriously, in March 2013 Evernote reset the passwords of 50 million users after it suffered a hack attack.