Skip to main content

Evernote hack forces users to reset passwords

If you're a big fan of Evernote, we hope you have a few new password ideas in mind. Over the weekend, the service suffered a "coordinated attempt to access secure areas of the Evernote Service," and all of Evernote's 50+ million users are being forced to reset their passwords before they'll be allowed access to the service once again.

On the plus side, the data that you store on Evernote – as well as your (likely more) important payment information if you're ponying up a fee to unlock more capabilities within the service – remain free from access by third-party attackers, Evernote says.

"In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed," reads the company's blog post.

However, attackers were seemingly able to access a treasure trove of information related to users' actual accounts, including user names, passwords, and email addresses. The passwords themselves "are protected by one-way encryption," Evernote notes, which should allay a few fears for those users who end up using the same (or similar) passwords for a number of different online accounts — a practice Evernote itself calls out as one that users might want to resist doing going forward.

The attack itself was first picked up by the company's operations and security team on 28 February, when team members first noticed "unusual" and "potentially malicious activity" on Evernote.

"They are continuing to investigate the details. We believe this activity follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks," a Evernote spokesperson wrote in an email to CNET.

"At this time we believe we have blocked any unauthorized access, however security is Evernote's first priority. This is why, in an abundance of caution, we are requiring all users to reset their Evernote account passwords before their next Evernote account log-in. We are actively communicating to our users about this attack through our blog, direct e-mails, social media, and support. This simple step of users creating strong, new passwords will help ensure that user accounts remain secure," the spokesperson added.