Evernote forum hacked, revealing users’ passwords and email addresses

Note-taking and archiving app Evernote has announced that its discussion forum has been hacked, compromising some users’ passwords, dates of birth and email addresses.

The hack was revealed yesterday afternoon in a post by an Evernote forum admin, saying that “The vendor that operates https://discussion.evernote.com has notified us that they had been hacked. The hacker was able to retrieve our forum members’ profile information. We don’t believe that the hacker accessed any private forum messages.”

The company was at pains to emphasise that only forum passwords dating from 2011 or earlier were compromised, and not passwords for Evernote itself. Users notes themselves are secure. However, as security expert Graham Cluley points out, users may be vulnerable if they re-used their forum password elsewhere.

Users who joined Evernote after 2011 should not need to change their passwords, as Evernote introduced a single password system for the forum and the app, a system which did not see password data sent to the third party responsible for hosting the forum. According to ZDnet, the Evernote forum currently has 164,644 registered members; Evernote has not disclosed how many were affected by the hack.

Evernote has reached out to the users who were affected. According to posts on the forum discussing the hack, passwords which were compromised had been ‘hashed’ – encrypted to provide a basic level of protection.

Last Tuesday Evernote was the subject of a denial-of-service (DOS) attack that stopped users accessing their accounts. The DOS attack had been repelled by the following day, and Evernote reassured customers that no hacking had taken place during the attack.

Following a major hack in 2013 that saw intruders able to re-set user passwords and access full personal details, Evernote introduced an optional two-factor authentication system, whereby users could use a code sent to their smartphone to prove their identity. Evernote has more than 100m users.

Author Alan Martin, ESET

  • anigel

    Never understood why these companies feel they have some real need to ask for a date of birth in the first place!

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.