Apple, Facebook and Twitter have all been the target of hackers recently, and now Evernote has admitted to a potential breach that has forced it to reset the passwords of approximately 50 million registered users. Evernote, a kind of web scrapbook that enables you to take notes, save web pages and web page content, sync files across devices and share ideas with friends and colleagues, did the right thing in notifying users and resetting passwords. However, it did the right thing in the wrong way; and here's why.

I received an email last night informing me that:

Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

dwebevnote
This immediately sought to put my, and the 49,999,999 other people who were reading the communication, mind at rest by assuring me that Evernote was taking this seriously enough to implement an across the board password reset. This despite there being no evidence, as yet, that any of my Evernote content had been accessed, changed or stolen. Evernote also told me that no payment information for 'premium' or 'business' customers had been accessed. So far so good you may be thinking.

The bad news is that the breach investigation does reveal that the hackers were able to gain access to usernames and the emails associated with them (sound familiar yet folks?) and, yes, those all important passwords. Now, in the case of Evernote these passwords are hashed and salted, which makes them pretty robust, but once again Evernote was taking no chances and the email says:

"in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com."

Again, so far so much better, you are probably muttering and wondering what the 'farce' angle is. Well, if you examine the link in the email to reset your password (as you always should before clicking anything as scammers and cyber-criminals can be quite clever in their presentation of mis-information) you will see that it takes you to a page at:

http://links.evernote.mkt5371.com

That's not the full URL, the actual thing will be different for each user and there follows a whole bunch of meaningless characters. Meaningless to the casual observer that is. However, the point being this kind of URL looks remarkably similar to the obfuscated variety that phishers and their ilk use to fool users into clicking them: they start with something that includes the product or service name but actually isn't the product or service URL itself. So in this case the link text in the email states 'evernote.com' but actually points to 'links.evernote.mkt5371.com' which is a totally different kettle of fish and raises alarm bells with anyone who has been properly schooled in taking security seriously.

dwebevnote02

The real farce starts when you continue reading the email and discover that amongst the "several important steps that you can take to ensure that your data on any site, including Evernote, is secure" which the security team helpfully have provided there is, right there at number three on the list:

"Never click on 'reset password' requests in emails - instead go directly to the service"

dwebevnote03

Sorry Evernote, you get kudos for doing the right thing but I'm afraid that you have shot yourself in both feet for doing it in the wrong way. It's important that you eat your own dog food in the security business, that is you yourselves follow the advice that you give others, and in this case you didn't.

334 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar
Member 949455

Thanks for sharing the info.

It's very detailed regarding about how they(hackers) used Evernote page and used it as their.

It really takes alot of planning to do something like this.

Every details is very important but they manage(not yet) to pull it off again.