Evernote admits hack, fails to take its own advice

Cloud-based note-taking service Evernote has admitted it’s been hacked, threatening the personal information of its 50 million users.

The company says that user names, email addresses and encrypted passwords have been accessed, but says there’s no evidence that payment details or stored content have been accessed, changed or lost. And, it says, passwords are all hashed and salted, making it extremely difficult for the hackers to uncover the original, unencrypted password.

All the same, the company’s warning users to change their passswords to be on the safe side.

“While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure,” it warns users in an email. “This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords.”

There’s no information as to how the hackers gained access – although recent high-profile hacks of Apple, Facebook and Microsoft have exploited  zero-day Java vulnerability in Java web plugins. Many industry experts have warned that users should disable Java to be on the safe side.

Amongst other advice, Evernote’s email to customers contains the warning that users should “never click on ‘reset password’ requests in emails – instead go directly to the service.”

This is, of course jolly sensible. A bit of a shame, then, that it’s advice Evernote fails to take itself. Its email to customers asks them to do exactly that, resetting passwords by clicking on a link within the email – a link that doesn’t take users directly to evernote.com, but instead to a site called mkt5371.

But rest assured – this isn’t a phishing attempt.

“This was just carelessness on Evernote’s part. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users,” says Graham Cluley of security firm Sophos.

The link does take users to the Evernote website, simply detouring a little via Silverpop, presumably so that Evernote can track and collect data on how successful the email campaign has been.

“That’s a technique commonly used in a normal marketing email communications, but looks very out of place in an email about a security breach which tries to hammer home the point to “Never click on ‘reset password’ requests in emails – instead go directly to the service,” says Cluley.