With more than 50 million users utilizing Evernote, a service that is designed for archiving data and taking notes, a data security breach is essentially a worst-case-scenario event. This past week, the worst case came true, as the company said it suspected usernames, email addresses and encrypted passwords were stolen.
"Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service," officials confirmed in a company blog post. "As a precaution to protect your data, we have decided to implement a password reset [for all users]."
Evernote's Ronda Scott said, according to PC World, that they will release updated versions of their applications across the board and update accounts with new and secure passwords in an effort to make the process easier on everyone.
Matthew Schwartz, an InformationWeek editor, wrote that issues like this are something that needs to be taken note of by both customer and cloud providers, as there is always something to learn from a data breach of this magnitude. The first thing he believes companies should do is detail what hackers are going after and how they are attacking it. Schwartz wrote it was good that Evernote broadcasted their security warning and clearly stated what the attackers were after and noting that it was protected. In this case, the user passwords were likely protected well enough to buy users some time and let them detect and respond to the breach.
Positives to be learned
As another piece of good news, he wrote on the website that the company opted to kill all passwords instead of first trying to figure out which were breached and which were not.
"While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure," Evernote said. "This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords."
Other things to learn from this attack, according to Schwartz, include:
– Weak points should be locked down, as it appears there was a mass amount of updates issued after the Evernote attack for all operating systems
– If a breach happens, do not include website links in the password reset email, as this can be seen as careless
– For users, a breach of email addresses and usernames will likely mean they will be added to multiple spam lists. He wrote that attackers will likely start sending spam emails that will look like they are from some popular website or service in an effort to draw them into another attack
– The volume of hacks is not dropping, so businesses and users must be on their toes to make sure they are protected from the ill will of any cybercriminal
Another thing Schwartz said is necessary is two-factor authentication in order to add to the data security of both users and businesses.
"Too few businesses have followed the security example set by game maker Blizzard, which offers its users a $6.50 two-factor authentication token, as well as a two-factor smartphone authenticator," Schwartz wrote on InformationWeek. "Notably, two-factor authentication would have prevented the Evernote hackers from using any passwords they successfully decrypted. If both Blizzard and Google can do it, what's stopping cloud services such as Twitter and Evernote from offering better security to their users?"
Robert Belfort, a partner with Manatt, Phelps & Phillips LLP told CIO.com that most data breaches tend to start with a moment of confusion with something that the company or an employee didn't even think about suddenly going missing. Businesses need to be covering all bases when it comes to data security to help avoid these instances.
Data Security News from SimplySecurity.com by Trend Micro.