Jump to content

(Archived) Forum Hacked

Murk

Recommended Posts

  • Level 5*
GrumpyMonkey

GrumpyMonkey 4,315

Posted
  • Level 5*
Posted

I see the forum was hacked this afternoon. What are the implications for account security?

The hacker claimed to have exposed user info and dumped passwords. Who knows? In my opinion, this would be a great opportunity to just change your password. Nothing is 100% effective, but with very little effort you can make it exceedingly difficult for a hacker to break into your stuff. I recommend doing the following:

(1) Use a password manager

(2) Use a long password (15, 20, or more characters)

(3) Use a random password (have a password generator make it)

(4) Use a unique password (one password for each site, so even if hacked, no damage)

(5) Change the password regularly (even if hacked, no opportunity to use it)

(6) Use a unique and randomly generated email address for your password manager (no way to access your pw manager).

I'd take this opportunity to change your password. It only takes a minute, and it can't hurt. I doubt the hacker really got anything, but better safe than sorry.

[EDIT:] Evernote has since confirmed that know passwords were compromised, because the forum does not have access to that information.

Link to comment
BurgersNFries

BurgersNFries 2,407

Posted
Posted

I see the forum was hacked this afternoon. What are the implications for account security?

The hacker claimed to have exposed user info and dumped passwords. Who knows? In my opinion, this would be a great opportunity to just change your password. Nothing is 100% effective, but with very little effort you can make it exceedingly difficult for a hacker to break into your stuff. I recommend doing the following:

(1) Use a password manager

(2) Use a long password (15, 20, or more characters)

(3) Use a random password (have a password generator make it)

(4) Use a unique password (one password for each site, so even if hacked, no damage)

(5) Change the password regularly (even if hacked, no opportunity to use it)

(6) Use a unique and randomly generated email address for your password manager (no way to access your pw manager).

I'd take this opportunity to change your password. It only takes a minute, and it can't hurt. I doubt the hacker really got anything, but better safe than sorry.

I agree. Although the EN employee said passwords were not accessible to the hackers, that doesn't mean the hackers couldn't use apps to try to break into the accounts. Just to be safe, I also changed my password.

Link to comment
  • Level 5*
GrumpyMonkey

GrumpyMonkey 4,315

Posted
  • Level 5*
Posted

I agree. Although the EN employee said passwords were not accessible to the hackers, that doesn't mean the hackers couldn't use apps to try to break into the accounts. Just to be safe, I also changed my password.

I doubt the user information and passwords were compromised, either, but it is just so easy to change a password, I don't see any reason not to do it. As soon as I saw the site had been hacked, I changed my Evernote passwords, and was done within maybe a minute.

Link to comment
spg SCOTT

spg SCOTT 736

Posted
Posted

For anyone else that tries to change their password on the forum:

It is not possible to do so via the forum, because the passswords (and login in general) are not handled by the forum sorftware, rather they are handled by the Evernote account system itself.

This means that, to change your password you will need to log in to Evernote.com and do it from there.

I am not 100% sure, but I think that this means that by hacking the forum software they couldn't get passwords anyway, since that is contained within the Evernote account and all the forum sees is an authentication cookie.

But like I said, not 100% percent sure on exactly how that works. FWIW I have also changed my password, just in case. :)

Scott

Link to comment
gbarry

gbarry 2,657

Posted
Posted

I actually received an email - addressed to me by my Evernote user name - regarding the matter.

When I followed the link to the forum within the email it took me to a very dodgy Paypal window......

Shady. Thanks for reporting, I'm going to reach out to Invision on this and we may want to get a message out to the rest of their client base if we can verify it's related.

If it is, I will include this in an administrative email I'll be pushing out to every registered community member.

And to echo what others above said--we use a cookie to authenticate, so your Evernote password, and Evernote account, are not held with the forum. That said, any incident that works as a reminder for our users--or anyone really--to take some additional steps in increasing their own data security is a Good Thing in my book.

Link to comment
gbarry

gbarry 2,657

Posted
Posted

Looks like my password has been changed so I cannot enter whatever it is to change it!

Oh dear!

Chris

And to officially close this part out, you cannot change your passwords in the forum, because there are none to change :)

Link to comment
C6REW

C6REW 416

Posted
Posted

Looks like my password has been changed so I cannot enter whatever it is to change it!

Oh dear!

Chris

And to officially close this part out, you cannot change your passwords in the forum, because there are none to change :)

If I knew what you meant, that would be great!

But no matter, as long as we are safe and sound and back to normal that is all that matters!

Best regards

Chris

Link to comment
  • Level 5*
GrumpyMonkey

GrumpyMonkey 4,315

Posted
  • Level 5*
Posted

Looks like my password has been changed so I cannot enter whatever it is to change it!

Oh dear!

Chris

And to officially close this part out, you cannot change your passwords in the forum, because there are none to change :)

If I knew what you meant, that would be great!

But no matter, as long as we are safe and sound and back to normal that is all that matters!

Best regards

Chris

Hi Chris.

I think what it means is that if you logout and try to login you'll see that you do it through the Evernote website. With that sign-in at Evernote, you can access the forums, but the company that owns the forums does not ever see your password, so there is nothing on record, and therefore, nothing to get hacked.

Link to comment

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
Go to topic listing
×
×
  • Create New...