This past weekend Evernote became the latest to post a security notice. The company had said they "discovered and blocked suspicious activity" on the network and as a result -- all Evernote users were required to perform a password reset. The methods by which Evernote handled this issue seemed to have been good, though there were some complaints.
Keeping away from those for a moment, lets instead dive into what happened with Evernote. The Evernote team has said that the activity they blocked was an attempt to access secure areas of the service. The good news here, Evernote also went on to say that they found "no evidence that any of the content you store in Evernote was accessed, changed or lost." Perhaps even nicer, they also found no evidence that payment information was accessed.
Some of the data that was accessed included usernames, email addresses and encrypted passwords. The passwords, while accessed should still be safe as Evernote had them hashed and salted. Basically, it seems that this password reset is just a matter of additional security. In addition to changing your Evernote password, you should also reset the password for any other services that shared your Evernote password. While you should never share a password across services, we know there are plenty that do just that.
Some tips for choosing a new password include keeping clear of simple passwords based on dictionary words or passwords that tie into your life personally such as a name of a loved one. And in fact, we would suggest using a password generator to create something truly random. Another good tip is to avoid clicking a link in any password reset email and instead surf to the website on your own. Now lets get back to the complaints that we have seen. It seems that some users were upset they didn't receive an email first.
It seems some users were getting on-device error messages before any email was received from Evernote. As an Evernote user myself, I noticed the same. In fact, I had an email in my inbox from IFTTT before I had one from Evernote. The one catch for me, I had been reading my Twitter stream and had seen their tweet announcing the reset so it was not much of a surprise. Of course, all said and done, we suspect no timing in an event like this will be perfect and overall we commend Evernote for acting so quickly.
[via Evernote Blog]