Content from user stores and payment information have not been compromised

Mar 4, 2013 07:39 GMT  ·  By

The passwords of all 50 million Evernote users are being reset after the company identified suspicious activity on its network.

After investigating the incident, the firm hasn’t found any evidence that payment information for Evernote Business or Evernote Premium customers, or content from stores had been accessed.

However, it appears the attackers have managed to gain access to user information, including email addresses, usernames, and passwords. Fortunately, Evernote seems pretty confident that their passwords are properly protected.

“While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com,” the Evernote team wrote in a blog post.

It’s uncertain what encryption algorithm they’ve been using for the passwords, but in the post they mention that the passphrases are hashed and salted.

On the site’s knowledge base, the company reveals that it’s deriving a 64-bit RC2 key from the passphrase and uses it to encrypt the text.

Besides resetting all user passwords, Evernote is also updating several of its apps in an effort to make the password change process easier.

Customers are advised to set strong passwords, and avoid clicking on “reset password” requests received via email since cybercriminals might be leveraging the incident to spread malware or to phish out sensitive information.

“As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content,” the company explained.