(Image Courtsey – Hicube Infosec)
Evernote is the latest company to be affected by ongoing, high-profile security breaches that has affected other companies including Microsoft, Apple, Facebook and Microsoft. Evernote announced on March 2 that it found suspicious activity happening over it’s network which was a coordinated attempt to access the secure areas of evernote service. Two main points from their announcement were:
- Bad News: Hacker(s) were able to access user information like username, email and password (encrypted format).
- Good News: No user content was accessed, changed or lost.
It was terrible that critical user information was leaked however as Evernote claimed the passwords stolen were encrypted with one way encryption; technically speaking they were hashed and salted. For non-technical people who don’t understand what hash and salted means let me explain how it works. When you enter a plain text password the encryption system adds to it a randomly generated value called Salt. Salt can be a mixture of numbers, letter, symbols etc. The randomly generated salt is concatenated with the text password and then processed with a cryptographic hash function which is an algorithm to convert the combination of password and salt to a fixed number. Finally this number is stored in a database. This whole process enhances the security of your password and makes sure that it becomes really tough for hackers to decode it. However it is not impossible.
Another question that lurks is they did one way encryption and they still got hacked. What should they have done to stop this breach? Answer to this question lies in the security infrastructure that Evernote was working with. They were using MD5 cryptographic algorithm to convert user passwords into hashes and storing them in database. MD5 is not very popular among the security experts because it is fast and computationally inexpensive way to convert password into hashes. Now if this algorithm encrypts the data so fast and in an inexpensive manner then it will also let hackers decrypt data faster which is the biggest fear Evernote has right now. MD5 let’s an attacker guess billions of combinations per second which relatively makes it easier to crack passwords and this is why Evernote reset everyone’s password immediately and asked them to set new ones.
As the primary user information has been compromised Evernote sent out an email asking all of it’s 50 million users to change their password as a precautionary step. After the hack evernote tried taking immediate security measures which might have created problems as the users were unable to access their accounts. This caused a panic among users as they started searching various sources for any clue. As soon as evernote busted the news last saturday it spread like a wildfire from social medias to news portals and it’s still urging it’s users to change their passwords mandatorily.
How will this affect you?
- Hackers were able to gain 50 million email addresses and passwords. They can now send phishing emails with password reset links which will further help them to gain access to your accounts. In a panic state like this even if 1% people clicks on the reset link and gives out their information hackers would still be able to get control of 50000 accounts. So it’s NOT advisable to click password resetting links in the mail. Rather you should directly visit the website and change the password there.
- Hackers have 50 million email addresses which they can use later on to send out spam emails which will further create a problems at a later date.
- In the series of ongoing attacks next organization could be any service provider that you use in your daily life. So it’s advisable to keep your security uptight by adhering to proper security standards specially with your passwords. You can follow some of the best practices that we have listed to enhance your password.
Whenever such a security breach comes into broad daylight we can’t help but think what could’ve been done to avoid it but end up blaming the organization under scrutiny. However it’s tough to figure out every loophole in the system it’s the utmost responsibility of the organization to safeguard their user information and data.
How Can You Safeguard Yourself?
Users can also secure their accounts to a large extent by using Single Sign On services like SmartSignin which in Evernote case would’ve helped them in two ways:
- They wouldn’t have to worry about their password getting cracked as they could use one that is more than 16 chars long and complex (If Evernote password policy permitted). By remembering just one password they wouldn’t have to remember passwords of their different online accounts.
- Many Evernote users are now changing passwords for many of their online sites as they know that they are reusing passwords. With SmartSignin they would only need to change the Evernote password as a precaution.
Do you use Evernote? What are your views about their security breach?