Evernote forum hacked, some users warned passwords could be exposed

Evernote's official discussion forum has suffered a security breach, which has allowed hackers to access user's profile information and (in some cases) password hashes.

The announcement of the security incident was made by Geoff Barry, a community manager at Evernote:

Evernote forum hacked

Important information regarding your discussion forum account

(Users impacted by this announcement will have received an email)

The vendor that operates https://discussion.evernote.com has notified us that they had been hacked. The hacker was able to retrieve our forum members’ profile information. We don’t believe that the hacker accessed any private forum messages.

Our forum is a completely separate service from the Evernote Service. The Evernote Service was not affected and your notes are still secure. We do not store your Evernote password on our discussion forum servers and you do not need to change it.

If you created an account on our old forum in 2011 or earlier, then the hash of the password you used at that time was taken as part of this incident. If you use that same password on other services today, please update it. For all other forum members, only your email address and birthday, if you provided one, were taken.

We are sending email notifications to all affected forum users detailing what was exposed.

Of course, it's very possible that those users whose passwords have been put at risk could be using those same passwords elsewhere on the net. Perhaps even on the main Evernote service itself.

It's never a good idea to reuse passwords, or to use passwords that can be easily cracked - such as dictionary words, or the names of your family members or pets.

Make sure that all of your passwords are unique, and hard to guess or crack.

EvernoteIf you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack or key logger) and then hackers using it to unlock your other online accounts.

My advice for those who find passwords a burden is to simply use password management software like Bitwarden, 1Password, and KeePass to make them both safer and easier to remember.

Evernote is keen to underline that its main servers were not compromised by the hackers, and that it was only their discussion forum that suffered from the security breach.

That doesn't mean, of course, that Evernote hasn't fallen foul of hackers in the past.

Just last week Evernote was hit by a denial-of-service attack, that disrupted access for many users around the world for some hours. But more seriously, in March 2013 Evernote reset the passwords of 50 million users after it suffered a hack attack.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

2 Responses

  1. the useful blogspot

    June 17, 2014 at 8:09 am #

    The mail I got was bit different,

    The vendor that operates our discussion forum at https://discussion.evernote.com notified us they have been hacked. The hacker was able to retrieve your email address. We don’t believe that the hacker accessed any private forum messages.

    Our forum is a completely separate service from the Evernote Service. The Evernote Service was not affected and your notes are still secure. We do not store your Evernote password on our discussion forum servers and you do not need to change it.

    You do not need to take any action at this time. Since they were able to access your email address, we encourage you to be extra vigilant when clicking on links in emails from unknown sources.

  2. Tom

    June 17, 2014 at 2:11 pm #

    I must admit: this one confuses me. I don't recall ever going to the evernote forum and registering (I'm not saying I didn't, just saying I don't recall doing such an activity). I went there today and searched but couldn't find myself among the registered users. But I did see that I could log in using my evernote credentials. So, does this mean my forum credentials are the same as my evernote credentials? This seems to contradict the statement from evernote regarding no need to change passwords.

Leave a Reply