14 DAY TRIAL // The security of the discussion forum server for Evernote has been breached, and it appears that the hacker(s) managed to get access to the profile information of some members.
The company sent an email to the affected users explaining the current situation and asking them to change their passwords if they are used to log into other web services as well.
In a post on the forum, Geoffrey Barry, Community Manager at Evernote, said that the discussion site is a separate service from the note-taking one and that all other content is safe and sound.
Since the forum and the note-taking function on different networks, which are not connected to each other, the company representative made it clear that the log-in password for Evernote does not have to be modified.
“We do not store your Evernote password on our discussion forum servers and you do not need to change it,” the post said.
According to Barry, users with an older account on the forum, created in 2011 or earlier, are the ones affected by the breach and should update the countersign.
All passwords are protected by a hashing algorithm, which should make the hackers’ job to determine the string more difficult.
Additional information leaked during the attack includes email addresses and, if provided, birthday details.
In 2011, Evernote introduced the single-sign-on service, which means that the same password used to log into the service is also used for the forum.
However, the information for the forum accounts created after 2011 should be safe because they are stored on Evernote’s servers, whose security has not been breached.
This created confusion among users reading the post announcing the hack because they immediately proceeded towards changing the log-in password and were directed to the Evernote account.
To clear things up, Barry made another post on the forum, saying that “Evernote passwords have NOT been compromised. The only passwords that were compromised as part of this breach would be to forum accounts (which had their own passwords) created on the old forum system, which is no longer active. Since 2011 the forum authenticates you via a Single Sign On with your Evernote account, which allows you to log into our forums by logging into your Evernote account.”
Furthermore, the representative added that, “The only scenario where you would need to change your Evernote account password is if you used the same password on forum.evernote.com (the site that predates discussion.evernote.com forums in 2011) as your Evernote account password, and have not made any changes to your passwords since.”
The bottom line is that only users that received the email informing of the risk need to update their passwords.
Last week, Evernote was hit by a DDos attack, which was resolved quickly by the company.