Software-as-a-Service (SaaS) note taking start-up Evernote has confirmed the login details of its users were accessed by hackers following an attack on its systems.
The company stated in a blog post that no data was accessed changed or lost, nor was any payment data for Evernote Premium or Evernote Business taken. However, its investigations have revealed the attackers did gain access to some user information, including usernames, email addresses and encrypted passwords.
"Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms they are hashed and salted)," said Dave Engberg, CTO of Evernote, in the blog post.
"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords," Engberg continued.
While the initial attack appears to have been contained, security experts are now warning Evernote users to beware of secondary attacks that may come via email.
Terry Greer-King, managing director of Check Point, said: "Evernote has done exactly the right thing by requiring all users to reset their passwords. But users should do this by directly accessing the website, and should be cautious about clicking on links in emails they receive, no matter how authentic the emails appear to be.
"There is a risk external parties could use the email addresses exposed in the attack to send phishing emails to users, to try and harvest sensitive data."
The Evernote team have reiterated this point, warning users never to click on reset password requests in emails and to use different, complex passwords across multiple sites.
Paul Ayers, VP EMEA at Vormetric praised Evernote for telling its users to change their passwords, he added that "whilst no compliance violations appear to have taken place at Evernote, the company will still have to deal with the negative impact on the brand and customer confidence."
Anyone concerned their data has been accessed or who is having difficulties resetting their password should contact the company's support service.
- This article was originally published on 4 March 2013 and updated on 5 March 2013 to include an additional comment
