After it reset the passwords of some 50 million users, Evernote pushed updates to all its software products, according to a company spokesperson.
“We released updated versions of our applications across the board… to add messaging to alert users to update their accounts with new, secure passwords and to make this process easier,” Evernote’s Ronda Scott said in an email.
“This is the only change we have made to the Evernote clients in reaction to this attack,” she added.
Programs affected by the across-the-board update included Evernote, Skitch, Penultimate, Evernote Food, Evernote Hello, Evernote Web Clipper, Evernote Clearly, and Evernote Peek.
Evernote reportedly identified hacking activity on its network on February 28, but it didn’t alert its users of the security breach until March 2.
“Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service,” Evernote’s Dave Engberg wrote in a company blog that was also sent as an email to users.
“As a precaution to protect your data, we have decided to implement a password reset,” he added.
Thus far, Evernote hasn’t released any information as to who might have been behind the attack.
“No one has claimed responsibility,” Scott said. “Our internal Operations & Security team continues to investigate the details of this attack, including origin.”
“As this is ongoing, it is premature for us to comment on those details,” she said. She did disclose, however, that the breach did not result from a vulnerability in any of the company’s applications.
“This attack did not come through any of the Evernote applications or clients,” she said.
At this point, it’s still too early to talk about any security changes the company may implement in response to the breach.
“Since we’re still in the analysis phase of this, we’re not able to comment on future protocol or security changes,” she added.
In addition to continuous and aggressive monitoring of its systems for unusual activity patterns, Evernote protects user names and passwords with an encryption scheme known as “salted hash,” which some breach fighters believe is inadequate.
“While password hashing and salting can be effective at preventing attackers from working out your password should a company that stores that information get breached, it is far from solid protection,” writes security scribe Brian Krebs.
“Evernote didn’t say which scheme it was using to hash passwords, but the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye with today’s off-the-shelf hardware,” he added.
Evernote users—any Web user, actually—are advised to create strong passwords and not to reuse them from site to site. That can be onerous to manage manually, but programs like OneID,KeePass, and RoboForm take much of the pain out of the process.
John Mello writes on technology and cyber security for a number of online publications and is former managing editor of the Boston Business Journal and Boston Phoenix. Disclosure: He also writes for Hewlett-Packad's marketing website TechBeacon.