(LiveHacking.Com) – Over the weekend Evernote, the cloud based information storage company, revealed that it had discovered suspicious activity on its servers by hackers trying to access secure areas where user’s “notes” and files are kept. During the follow up investigation, Evernote discovered that the hackers had gained access to user information, which includes usernames, email addresses, and encrypted passwords. Therefore, as a precaution, the company has implemented a forced password reset for each of its 50 million users.
One good bit of news is that the passwords are encrypted and use a salt, something that LinkedIn failed to do. Evernote is confident that its password encryption is robust, but is forcing the password reset to ensure that users’ personal data remains secure.
“As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content,” said Evernote is a statement.
As part of the notification email, which Evernote sent to its users, the company gave some general tips for passwords including:
- Avoid using simple passwords based on dictionary words
- Never use the same password on multiple sites or services
- Never click on ‘reset password’ requests in emails – instead go directly to the service
Although the last bit of advise is generally sound (because so many phishing emails use password resets as link bait), Sophos has pointed out that the notification email itself contained links for resetting a user’s password. However in fairness to Evernote the links do take the user to the evernote.com site and not a password reset page. However the problem is that the link uses a click tracking system and goes via a domain called links.evernote.mkt5371.com, which could look like a phishing attack! The mkt5371.com domain is owned by Silverpop, an email communications firm who Evernote is using to send out the 50 million emails!