[ISN] Evernote resets user passwords after being hit by "coordinated" hack

From: InfoSec News <alerts_at_private>
Date: Mon, 4 Mar 2013 00:42:13 -0600 (CST)

By Nathan Mattise
Ars Technica
Mar 2 2013

Evernote is requiring each of its 50 million users to reset their login 
credentials after the site's security team detected a security breach 
that exposed password data and other personal information.

In a security notice published Saturday, Evernote said the precautionary 
password reset came after an investigation found no evidence of any 
stored content being accessed, changed, or lost. The advisory also 
stated that payment information wasn't accessed. However, Evernote 
warned that user information -- including usernames, cryptographically 
protected passwords, and e-mail addresses -- were accessed. "Even though 
this information was accessed, the passwords stored by Evernote are 
protected by one-way encryption," the statement noted. "(In technical 
terms, they are hashed and salted.)"

Evernote's decision to cryptographically hash and salt this information 
is important in wake of this digital break-in, because the technique 
makes the information slightly more time-consuming to crack. That can 
buy a security team time in the hours or days following the discovery of 
a breach. (For a more detailed explanation of the techniques, see Ars 
Security Editor Dan Goodin's feature "Why passwords have never been 
weaker -- and crackers never been stronger.") Despite the precaution, 
Evernote's decision to reset all the passwords remains a necessary 


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
Received on Sun Mar 03 2013 - 22:42:13 PST

This archive was generated by hypermail 2.2.0 : Sun Mar 03 2013 - 22:32:23 PST