Evernote forum hacked, revealing users’ passwords and email addresses

Note-taking and archiving app Evernote has announced that its discussion forum has been hacked, compromising some users’ passwords, dates of birth and email addresses.

The hack was revealed yesterday afternoon in a post by an Evernote forum admin, saying that “The vendor that operates https://discussion.evernote.com has notified us that they had been hacked. The hacker was able to retrieve our forum members’ profile information. We don’t believe that the hacker accessed any private forum messages.”

The company was at pains to emphasise that only forum passwords dating from 2011 or earlier were compromised, and not passwords for Evernote itself. Users notes themselves are secure. However, as security expert Graham Cluley points out, users may be vulnerable if they re-used their forum password elsewhere.

Users who joined Evernote after 2011 should not need to change their passwords, as Evernote introduced a single password system for the forum and the app, a system which did not see password data sent to the third party responsible for hosting the forum. According to ZDnet, the Evernote forum currently has 164,644 registered members; Evernote has not disclosed how many were affected by the hack.

Evernote has reached out to the users who were affected. According to posts on the forum discussing the hack, passwords which were compromised had been ‘hashed’ – encrypted to provide a basic level of protection.

Last Tuesday Evernote was the subject of a denial-of-service (DOS) attack that stopped users accessing their accounts. The DOS attack had been repelled by the following day, and Evernote reassured customers that no hacking had taken place during the attack.

Following a major hack in 2013 that saw intruders able to re-set user passwords and access full personal details, Evernote introduced an optional two-factor authentication system, whereby users could use a code sent to their smartphone to prove their identity. Evernote has more than 100m users.

Author , ESET

  • anigel

    Never understood why these companies feel they have some real need to ask for a date of birth in the first place!

  • Dhanushya1

    2014 Oct 3rd i had received a mail (to aim- which is link to ‘TX-txxxxe’ evernote account) from Evernote support team notifying that my e mail address has been changed.
    Since then I opened a ticket and contacted the support team and informed that it’s not me who changed the address, and to support me to rectify my account password.
    Now i cannot log in to my OWN Evernote account, as the person or system which hacked my account has changed my password.
    I have said in many ways to the support team that I have the mail which I received from you on 3rd which notified me on my address change.
    I have the last picture which I have uploaded to my account, I can give the password which I last use to log in, and I have provided all the information they required.
    The answer from them is, they verified that I’m not the user. But how, when I’m the right owner of my account and they don’t want to lock the account or delete it and how can they let another person to use my own data !!!! it is very very sad and scary.

Follow us

Copyright © 2017 ESET, All Rights Reserved.