Evernote, the popular cross-platform note taking and sharing app, has issued a statement about some recent "suspicious activity on the Evernote network". All users will have to change their password, and it seems that user names, and other data that includes the encrypted version of passwords has been accessed. In a letter sent out to users, Evernote says the following:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As we've seen recently, there's a rash of coordinated attempts to hack the big players in online services. Hopefully Evernote's encryption methods are solid, but having users change their password at log in is a great way to keep everyone safe. Visit Evernote's blog for more information.


Reader comments

Evernote forcing users to change password after hacking attempt


Once you give up trying to remember them all then you don't mind so much.

With my geezer memory, I have two choices. Use the same password everywhere (scary) or use something to remember all my passwords.

I've totally bought into the password vault theory, and use mSecure (reviewed here on AC) and it has a feature that will generate hard to hack passwords for you as well as remember them and sync your vault to all your devices.

I'm a history buff, best way is to take dates in History and mix match them into gibberish, easy way to remember your password to a famous day in history in any country so you won't forget. For example, Lincoln was assassinated in "April 14, 1865" you just mix up the whole date A1p4r18i6l5, or the Day the French revolution started July 14, 1789 to 9y8l7u1j41. Makes it easy to remember passwords while making them not random enough to figure out. Just need to set up a system to something general that you'll always remember that's not even associated with you.

I was already planning on moving to Google Docs for my note taking. This may well just be the push I needed.

I used both tools and can tell you they're not the same ever note is good at what it does quick notes, or from pictures and easy to file.

Google docs is better for writing docs

Lets face it. In today's environment this can happen to any online service. It's happened to Apple, and even major financial institutions. I didn't store any critical information on Evernote, but the problem is email userid and passwords being hacked at even if they are encrypted. Best to keep your application passwords different than your email address password. I also don't store financial or governmental ids' in Google Docs. I store these on offline external hard disks and yes paper files that are kept in a secure place in my home.

It's a pain to change and remember passwords. Where I work we are required to change them every 33 days, and they must contain numbers, letters, special characters, upper/lower case, must be longer than 8 characters, and they must be different from the last 7 passwords we have used in the past. It's hard but in today's cyber world it is probably worth it.

LOL! No kidding. I started getting more crap in my Inbox the last couple of days. Hadn't installed any new apps so I wondered what triggered them all of a sudden. Can't point the finger at Evernote for sure but after seeing this I guess they are the likely culprit.

Likely culprit? Hardly. There are about billion other reasons for increased spam other than your account information potentially being compromised. Email lists are bought and sold daily. Much much more likely is you did business with a company and they sold their list.

Additionally, hacking Evernote for email address would be like robbing a bank for empty coin rollers; just doesn't make any sense. If it was a criminal, they were after PII and data for identity theft and even more likely they were looking for payment information stored on the system.

Shouldn't spread FUD without evidence.

Hopefully nobody had their notes compromised. Could end badly if they are using the service to store sensitive information.

This is one of those news items that the users know what's happening before they read it in the news. Evernote sent a notification and email explaining the issue they also disconnect their Android app.

Kudo's to Evernote for disclosing the potential breach of data and for storing the passwords in the proper manner.

The bottom line is that if a hacker is determined to get into a system they will; the best we can hope for is to mitigate the potential for damages and for the target of the hacking attempt to be transparent in their process for handling breach.

I'll continue to use Evernote; primarily because of how they handled this incident.

I agree. Forcing all users to reset passwords is a major pain but its better than the alternative.

Well handled.