Jump to content

(Archived) Evernote break in - What happened?


Recommended Posts

Posted

There are other threads on the password reset, lost notes, and 2FA.  But no one at Evernote is explaining what happened or what has been done about it.  

 

I expected some time to pass before they did, but I am troubled by the continued silence.

 

Am I alone?

 

Evernote, do you plan to ever speak to this?  If so, when do you think you will?

Posted

Detailed information about what happened can be found here:

 

http://discussion.evernote.com/topic/35555-security-notice-service-wide-password-reset/

 

Since that specific post does not appear to allow comments, separate discussion threads were started so people could have a chance to discuss their thoughts, conerns, feature requests, etc. Evernote's Twitter feed is also an immediate way to find info on developments throughout the week.

 

Edit: It looks like the post I cited was from March 2, 2013, so it was probably not as visible from the front page now that newer announcements have taken its place.

Posted

I have seen that post, and twitter, and the various news reports.  But as you highlight, nothing new since almost 3 weeks ago.

 

The early reports rightly focused on what we should do in the aftermath.  That was the most critical thing, and I am sure Evernote needed time to fully understand what had happened and what they needed to do.

 

What I am looking for is a) how did the break in happen b ) what are the leasons learned and c) what does Evernote plan to do about it.  If they are not in a position to talk about it yet, I suggest that a blog post saying they understand the need and when they think they will be ready to talk would put a lot of minds at ease.  I at least am willing to give them time, but I cannot wait forever. If I need to move off Evernote I need to know (I already have moving off Google Reader looming, so time is short :) )

 

Phil?  Dave?  Surely you can say more by now.

  • Level 5*
Posted

I'd seriously hope that they don't say anything - any information they give would be more useful to those wishing to repeat the hack than it would be to us as users.

 

We have to assume that they are focused on security and are throwing as much weight behind being as secure as possible, the negative publicity that was generated recently must have hurt them more than anything they've suffered before. However, the reality is that at some point in the future they will be hacked again and so we as grown ups need to decide for ourselves what we store in a cloud service and how we store it (encrypted or not).

  • Level 5*
Posted

Evernote might choose to say a little more when they release/ upgrade security features,  but I'm with Metrodon:  would you expect your local bank branch to say

 

"The thieves got in through the side door which has a 6-digit password key and made their way through the staff restroom wall into the side of the vault.  They were able to break in to four of our 120 security boxes and stole $100,000 in negotiable bonds.  We've now changed the password and reinforced the restroom walls with corrugated steel.  We've mailed all our customers with an updated security procedure to access the existing boxes..."

 

However much or little you say,  if you say anything you're reducing the ignorance of the next guys to try this.  I'm happy with silence.

Posted

Metrodon, I disagree.  There are limits to what you would disclose, but the answer is not silence.

 

RSA was hacked and, after some time had passed, they told the story.  Nothing in what they disclosed was news to the bad guys. But it was very useful for those of us who do not work at computer security for a living.

 

The Matt Honan story is another must read if you intend to live in the cloud.

 

Please Evernote.  Follow the example of responsible disclosure.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...