On Saturday, the online SaaS (software as a service) note-collecting Evernote posted a blog with subsequent email stating that they had discovered and blocked unauthorized activity on their network. In response to the attack, they reset the passwords of the nearly 50 million people that are currently using their system.
On Saturday, the online SaaS (software as a service) note-collecting Evernote posted a blog with subsequent email stating that they had discovered and blocked unauthorized activity on their network. In response to the attack, they reset the passwords of the nearly 50 million people that are currently using their system.
Evernote explained that their passwords were both salted and hashed. The company still felt inclined, for safety’s sake, to implement the password reset. I personally think taking this approach, although mildly inconvenient for the people who have to change their passwords, is ultimately smarter for the company, and shows a great respect for their user’s security (ABC News reports that Evernote was the only hacked company that has ever required the reset).
The data accessed included usernames, encrypted passwords, and email addresses, although none of the user’s content was available:
“In our security investigation, we have found no evidence that any of the content that you store in Evernote was accessed, changed, or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.”
In response to this breach, Evernote has decided to speed up the setup of their two-factor authentication. In an email to InformationWeek, spokesperson Ronda Scott explained that these plans had already been in the works before the breach:
“We were already planning to roll out optional two-factor authentication to all of our users later this year…We are accelerating those plans now.”
As I mentioned in an earlier blogpost, two-factor authentication is a wonderful bit of added security to keep attackers from accessing your data. It requests that the user give both a password, and verification from a source they have on their person (often this comes in the form of a hardware fob or cellphone app). In the event that the same sort of breach happened to a company that uses two-factor authentication, even if the passwords were decrypted, they wouldn’t be able to access the system without also having the physical phones or fobs belonging to the usernames and email addresses.