TBA Law Blog


Posted by: Christy Gibson on May 14, 2013

     On March 2nd 2013, Evernote users were alerted via email that the company had discovered an attempt to hack the network.  The network security team was able to block the suspicious activity, but not before intruders gained access to Evernote user information, including usernames, email addresses, and encrypted passwords.

     Users were instructed to login to their account on evernote.com and reset their password, then update it on synced desktop and mobile apps.

What does this mean for the Evernote user?

     Even though password information was accessed, they are stored by Evernote and protected by one-way encryption. In technical terms, the passwords were hashed and salted, which renders them completely inscrutable and unusable.

     This means that passwords retrieved by the intruders were scrambled, preventing the intruder from accessing your account.

     Content stored in Evernote was not stolen, as noted by the company: “In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost.” So, any client confidential data you added to Evernote was not compromised.

     Furthermore, if you have a premium account, Evernote assured us that there was no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

What about lawyers and client-confidentiality issues?

     In addition to current security measures and others in the works, Evernote offers the ability to encrypt data contained within notes, so lawyers can use this feature to protect sensitive client information. 

     The data is password-protected and Evernote does not receive a copy of your password. Unfortunately, this means that if you forget your password, Evernote can’t recover your data, and neither can you.

What is Evernote doing to remedy the situation?

     Even though Evernote’s password encryption measures are robust, asking all users to reset their passwords provides an additional measure to ensure your personal data remains secure.

     Evernote also announced that they are accelerating plans to adopt two-factor authentication similar to Dropbox, Facebook, and other online applications.

What can you do to protect your data?

     Evernote provided the following steps to ensure that your data in Evernote and other sites is secure:

  • Avoid using simple passwords based on words found in a dictionary.
  • Never use the same password on multiple sites or services.
  • Never click on ‘reset password’ requests in emails – instead go directly to the service by typing the address into a browser address bar or using a bookmark.

     We’ll add another tip: Change the email address associated with your Evernote account. The intruders did get 50 million email addresses and can use that to spam you at a later time with fake password-reset emails.

     If you’re having trouble keeping track of your passwords across all of your cloud services, take a look at 1Password, which helps you manage passwords and ramp up security.