Evernote Forum Hack of June 2014 - what passwords were lost?

[qwavel 7]

I have just received e-mail notification about the hack.

 

One of the things it says is "the hacker was able to access a hashed version of the password that you used to access our old forum in 2011, and earlier."

 

Leaving aside the question of why they would keep historic password data, this poses a serious problem because I don't know what password I was using in 2011!    Maybe my 2011 self was stupid enough to use my main Evernote pw or some other important password - I don't know.  Changing all my important passwords would be very time consuming and inconvenient.

 

Please provide us some way to test our important passwords against the hashes that were stolen.

 

[BurgersNFries 2,407]

I have just received e-mail notification about the hack.

 

One of the things it says is "the hacker was able to access a hashed version of the password that you used to access our old forum in 2011, and earlier."

 

Leaving aside the question of why they would keep historic password data, this poses a serious problem because I don't know what password I was using in 2011!    Maybe my 2011 self was stupid enough to use my main Evernote pw or some other important password - I don't know.  Changing all my important passwords would be very time consuming and inconvenient.

 

Please provide us some way to test our important passwords against the hashes that were stolen.

 

 

https://discussion.evernote.com/topic/61752-important-information-regarding-your-discussion-forum-account/

 

Additionally, one should keep a current record of any passwords they use. And don't use the same password more than once (IOW, each account has a different password). And all the other recommendations about passwords.  IOW, if you are recommended to change your EN password, that should be the only one you change.  Unless you use the same password for a bunch of other accounts, which is not recommended.  That's why there are password manager apps.

[allenm 0]

Can someone confirm if you can turn on "Two Factor Authentication" and actually have it work? I just tried enabling and had the system email me and I replied and then it asked for my mobile number which I gave and it then sent me a code and after that I was asked to scan the barcode with Google Authenticator.

 

I have done with with *many* other sites and use the Google Authenticator App regularly with IOS but for whatever reason when I am trying to use the provided code it gives me when trying to activate "Two Step Authentication" I get an error that looks like this, I've tried 5 times now!  I've obscured the code I put in the box of course but its the code the Google Authenticator App for IOS is providing me and those codes are being generated by the barcode you provide so Evernote Tech's I would confirm Two Factor Authentication is also working so people CAN actually enable if they want due to this security breach.

 

Thanks

 

 

[ScottLougheed 1,316]

Can someone confirm if you can turn on "Two Factor Authentication" and actually have it work? I just tried enabling and had the system email me and I replied and then it asked for my mobile number which I gave and it then sent me a code and after that I was asked to scan the barcode with Google Authenticator.

 

I have done with with *many* other sites and use the Google Authenticator App regularly with IOS but for whatever reason when I am trying to use the provided code it gives me when trying to activate "Two Step Authentication" I get an error that looks like this, I've tried 5 times now!  I've obscured the code I put in the box of course but its the code the Google Authenticator App for IOS is providing me and those codes are being generated by the barcode you provide so Evernote Tech's I would confirm Two Factor Authentication is also working so people CAN actually enable if they want due to this security breach.

 

Thanks

 

 

This is a user forum, for this specific technical issue I'd recommend contacting support directly. 

 

AS for the "security breach", it is important to remember that Evernote's servers are still secure, they have NOT been compromised. This means your password has not been compromised because your password does not live on the forum's servers. The forum software is hosted by a third party and does not have access to your password. 

 

Follow the thread linked to above for more details on the forum server security breach. 

[aldrinm 0]

I thought we used the same evernote account to access the forums. So which password are we talking about?

[Jeremygb 0]

Maybe this is a bit off topic, but how does Evernote not operate their own discussion forum?  I can see a company like "Joe's Cupcake Shop" farming this out, but I would assume that an established technology company should be able to cobble something together on their own. Even if a turnkey solution is used, surely there is spare server in the server room or maybe just spin up a VM.

[ScottLougheed 1,316]

I thought we used the same evernote account to access the forums. So which password are we talking about?

Correct, it is the same password. The password is stored and authenticated through Evernote, on Evernote's servers. When you successfully authenticate on Evernote's servers, the success is passed to the forum servers. Thus, the password and authentication happens with Evernote, the forum only knows whether you've authenticated or not. 

[BurgersNFries 2,407]

Maybe this is a bit off topic, but how does Evernote not operate their own discussion forum?  I can see a company like "Joe's Cupcake Shop" farming this out, but I would assume that an established technology company should be able to cobble something together on their own. Even if a turnkey solution is used, surely there is spare server in the server room or maybe just spin up a VM.

 

 

Why reinvent the wheel?  Most websites don't write their own message board software. They'd rather devote their time to doing whatever it is they do that requires a message board.

[ScottLougheed 1,316]

Maybe this is a bit off topic, but how does Evernote not operate their own discussion forum?  I can see a company like "Joe's Cupcake Shop" farming this out, but I would assume that an established technology company should be able to cobble something together on their own. Even if a turnkey solution is used, surely there is spare server in the server room or maybe just spin up a VM.

This might be one of the main reasons why not to host your own message board software. The very fact that it is isolated entirely from Evernote's actual service means that a security breach of the forums is contained to that service only. Even better, now the forum vendor is scrambling to seal up the breach and Evernote can get on with its day, for the most part. 

 

 

Also, I'd rather Evernote spend their development and server resources on their service that I pay for. As a heavy user of these boards, I think the  third-party hosted message boards work just fine for the most part. 

[gbarry 2,658]

A separate service actually allows us to be more secure, yes--and eliminates another vector for attack. That is one of the primary reasons we moved to our current service, as well as implemented the SSO back in 2011. To reiterate, our "official" thread on this is here for any clarifications to the email: https://discussion.evernote.com/topic/61752-important-information-regarding-your-discussion-forum-account/

[MLeitch1 14]

I got this email this morning:

 

"The vendor that operates our discussion forum at https://discussion.evernote.com notified us they have been hacked. The hacker was able to retrieve your email address. We don’t believe that the hacker accessed any private forum messages.

Our forum is a completely separate service from the Evernote Service. The Evernote Service was not affected and your notes are still secure. We do not store your Evernote password on our discussion forum servers and you do not need to change it.

You do not need to take any action at this time. Since they were able to access your email address, we encourage you to be extra vigilant when clicking on links in emails from unknown sources.

Evernote Security Team"

 

Did anyone else get this email, and did anyone else notice that not once in the email does Evernote actually make any attempt at any time to apologise for this cluster?  The tone is 'it's not our fault.  We are just obligated to let you know.  Hang in there!" Not even a hint at an apology.  Is this really the new low I think it is in customer care????

[ScottLougheed 1,316]

1) See the official thread here:

https://discussion.e...-forum-account/

2) It was the company that hosts the forum software who experienced the security breach. Being a completely separate company, it is not really Evernote's fault per se that the company that is not Evernote experienced a security breach. Evernote has no real reason to apologize because it is not something they did or could have prevented. 

3) Evernote has done a great deal to make sure that when something like this happens, users are protected. The single sign on mechanism (SSO) that they have implemented means that any breach of the forum software can't be linked to Evernote itself.

 

This means that Evernote has prevented any shortcoming on the part of the forum vendor from having any significant direct impact on Evernote users. 

 

 

Please review the official post linked to here in this post, as well as above, for more details. 

[MLeitch1 14]

Are you se

 

1) See the official thread here:

https://discussion.e...-forum-account/

2) It was the company that hosts the forum software who experienced the security breach. Being a completely separate company, it is not really Evernote's fault per se that the company that is not Evernote experienced a security breach. Evernote has no real reason to apologize because it is not something they did or could have prevented. 

3) Evernote has done a great deal to make sure that when something like this happens, users are protected. The single sign on mechanism (SSO) that they have implemented means that any breach of the forum software can't be linked to Evernote itself.

 

This means that Evernote has prevented any shortcoming on the part of the forum vendor from having any significant direct impact on Evernote users. 

 

 

Please review the official post linked to here in this post, as well as above, for more details. 

Are you serious?

[ScottLougheed 1,316]

I'm not sure I understand. 

[SFdude 1]

I just rec'd a specific email

(as millions of others apparently did),

w/ a message,

which essentially,says :

   " ...your EN Forum acct was hacked...

      +hackers got my email, pwd and b-day,  etc..".

 

The lack of crystal-clear instructions in this Evernote email

on how to proceed step X step,

is simply amazing and UNprofessional.

 

If Brian Krebs would hear about this -

he would have a true field day...

 

Hope Evernote sends a 2nd email

with very CLEAR step X step instructions

on how to proceed.

All threads show people are VERY confused, so far...

[DavidB22 4]

I am on the same wavelength as MLeitch1.

 

I received a similar email.  I had no recollection of ever signing in to the Forum.  Reinforced by the fact I was told I was signing in as a new member?  I am therefore a little confused why I received the email in the first place!

 

On the issue of responsibility.  If I buy cakes and sell them on to the public as my cakes I become responsible for any problems with those cakes.  Similarly I find it surprising Evernote have not at least apologised.  The  Forum is badged as Evernote, it leads from a Forum link on the Evernote home page and I didn't see any notice telling me I was entering a third party hosted area.

 

If it looks, links and feels like Evernote - surely it is Evernote I'm dealing with  

 

These things happen but I do at least expect an apology.

[GrumpyMonkey 4,319]

I am on the same wavelength as MLeitch1.

I received a similar email. I had no recollection of ever signing in to the Forum. Reinforced by the fact I was told I was signing in as a new member? I am therefore a little confused why I received the email in the first place!

On the issue of responsibility. If I buy cakes and sell them on to the public as my cakes I become responsible for any problems with those cakes. Similarly I find it surprising Evernote have not at least apologised. The Forum is badged as Evernote, it leads from a Forum link on the Evernote home page and I didn't see any notice telling me I was entering a third party hosted area.

If it looks, links and feels like Evernote - surely it is Evernote I'm dealing with

These things happen but I do at least expect an apology.

Apologize for what? It was the forum provider, not Evernote that was hacked. An apology implies there was something Evernote could have done to prevent it.

I just rec'd a specific email

(as millions of others apparently did),

w/ a message,

which essentially,says :

   " ...your EN Forum acct was hacked...

      +hackers got my email, pwd and b-day,  etc..".

 

The lack of crystal-clear instructions in this Evernote email

on how to proceed step X step,

is simply amazing and UNprofessional.

 

I wish Brian Krebs would hear about this -

he would have a true field day...

 

Hope Evernote sends a 2nd email

with very CLEAR step X step instructions

on how to proceed.

All threads show people are VERY confused, so far...

You (along with a few thousand other forum members?) received an email that said your Evernote account was NOT hacked, but that an old password you might have used in 2011 to access this forum (not Evernote) was obtained (in hashed form) by a hacker. They suggested one course of action for a small number of people who might still be using that password on other sites -- change it.

For anyone following basic password management principles (use long, regularly changed, unique passwords) there is nothing to do. The password would have only been used once on this forum and nowhere else. If you have been using the same password in multiple locations for three years since 2011, there have been a countless number of hacks all over the web that long ago exposed your password to hackers.

In other words, for most people who received the email, there is nothing to do. No one's Evernote account was hacked, no data was lost, and your notes are safe.

[DavidB22 4]

Apologies flow from responsibility.  An apology does not imply they could have done something to prevent it - It simply accepts responsibility and expresses regret something happened that shouldn't have.  

 

GrumpyMonkey - you sound like a politician.  

 

But they have done something wrong.  On their watch the Forum was hacked.  Someone may have my email address to play with.  They chose the wrong provider.  Or perhaps they should have done it themselves.  It doesn't matter what link in the chain failed - it's their chain and it failed.

[ScottLougheed 1,316]

I study food recalls for a 'living', so the issue of who is responsible comes up often. 

 

The general rule of thumb is that culpability lies in the hands of any critical point at which a problem could have been caused, or could have been prevented. If you sold cakes that had an issue, and you were aware there was an issue, or there was a system you could have employed to identify the issue, yes you are partially culpable, and thus should probably issue an apology. For example, if the problem was due to improper storage, or if the issue was that all of the cake toppers melted, and a visual inspection would have revealed this, then those are things well within a retailer's control and it is reasonable to expect that a retailer would engage in proper storage and visual inspections. 

 

However, if you have thermal control that is satisfactory, your stock rotation is satisfactory, and any visual inspection of the cake did not suggest any issues, then the culpability lies with the baker you purchased the cakes from, and not you, so you have nothing to apologize for. 

 

Maple Leaf's recall in 2008 in Canada is a great example. Retailers were not accountable for the illnesses and deaths because the issue was unrelated to the actions of retailers. There is no reasonable expectation that a retailer would test packaged product for microbial contamination, and as such retailers did not, and had nothing to apologize for, and for the most part they did not apologize. They simply followed the protocol of product recalls and notified customers promptly and removed implicated products from their shelves. Maple Leaf, on the other hand, was very apologetic, because they killed people. It wasn't Safeway that killed people, and there's nothing Safeway could have done to not kill people. 

 

The forum is developed and served by a different company than Evernote. Evernote does not control directly the company that operates these servers and develops these forums. Evernote made very clear steps in 2011 to try and mitigate any damage that might occur if the Forum vendor gets compromised, and it has paid off since no Evernote user data has been exposed. 

 

Check out any of the cases famous American food outbreak lawyer Bill Marler has been involved in, they provide significant insight into culpability/responsibility/accountability.

[ScottLougheed 1,316]

Apologies flow from responsibility.  An apology does not imply they could have done something to prevent it - It simply accepts responsibility and expresses regret something happened that shouldn't have.  

 

GrumpyMonkey - you sound like a politician.  

 

But they have done something wrong.  On their watch the Forum was hacked.  Someone may have my email address to play with.  They chose the wrong provider.  Or perhaps they should have done it themselves.  It doesn't matter what link in the chain failed - it's their chain and it failed.

 

If you accept responsibility, does that not by definition imply that you could have prevented it? 

[GrumpyMonkey 4,319]

Apologies flow from responsibility. An apology does not imply they could have done something to prevent it - It simply accepts responsibility and expresses regret something happened that shouldn't have.

GrumpyMonkey - you sound like a politician.

But they have done something wrong. On their watch the Forum was hacked. Someone may have my email address to play with. They chose the wrong provider. Or perhaps they should have done it themselves. It doesn't matter what link in the chain failed - it's their chain and it failed.

I'd think a politician would say the opposite thing. Don't we call the apology you seek a "non-apology" apology? If that would satisfy people and generate goodwill, then they might as well apologize. Why not? Politicians do it all of the time. It is utterly devoid of meaning, especially in a context like this, but who am I to say what is better PR.

Personally, though, I loathe meaningless apologies and it makes me quite grumpy to hear someone say, "I'm sorry that you/he/she/them/it..." It's not about how I feel or what other people did -- what did you (the one apologizing) do wrong, do you recognize your error, and what are you doing to correct it?

I'm not (in my opinion) a cheerleader for Evernote. I call them out for problems, and I think they usually respond well to fair criticism. A good apology would be Phil Libin's (CEO of Evernote in 2014) when he apologized for bugs in the Evernote product. No, he didn't make the bugs himself, but as the head of Evernote, he could have done something to better reduce or eliminate them, so he apologized and promised to do better. Here? What would he say that would make sense? Nothing comes to mind.

[ScottLougheed 1,316]

Either way, sure Evernote could have apologized (whether that implies responsibility or not is actually not terribly important), but in their email, they did not. However, what matters most is that:

1) You were notified promptly about the issue

2) You were told what to do (which is nothing, because nothing can be done)

3) you were told what the possible consequences were (some potential increase in phishing and spam to your email). 

 

Would an apology have changed any of that? Would it have actually made it any better? I don't think so. I think most people would be just as frustrated as they are without receiving an apology. 

 

So perhaps they should have apologized, why not! But in my opinion, the hassle and consequences are the same. 

[DavidB22 4]

I opened a can here didn't I.    

 

To accept responsibility does not imply I can prevent something.   I keel over with a brain aneurysm and break a table.  I am responsible for breaking that table but if my brain condition was undiagnosed I could hardly have foreseen or prevented it.  If I am a chairman of a multinational which employs slave labour in a third world country I am responsible for that.  If I didn't know about it and I put it right I may not need to resign but it happens on my watch and I am responsible for it - 

 

I'm in Scotland so things may be different.   But in Scotland if I buy a defective cake from a supermarket and it makes me ill I can sue the supermarket.  I don't need to be concerned where in the chain the defect occurred. The supermarket may well be able to recover from whoever was negligent but I have a right of relief directly against them.  Its why they should exercise some care in choosing who supplies their cakes.  Don't confuse final liability with responsibility.  They are different things.

 

But we're not talking precise legal liability here we're talking about taking responsibility for your product and making an apology when something goes wrong with that product.  

 

If something goes wrong with a piece of work I am responsible for delivering, call my silly but I don't scrabble around passing the buck.  I accept the client is contracting with me.  I accept it is my responsibility to put it right and I apologise.  It's that simple.  I will explain to the client what happened and that a third party that I chose to sub contract to caused the problem but I will take responsibility.

 

 I accept it may different in the US or Canada - although good practice tends to be the same everywhere. 

 

Perhaps I will just need to politely beg to differ and go back to using One Note instead.  There are always different points of view to every situation.

[GrumpyMonkey 4,319]

I opened a can here didn't I.    

 

To accept responsibility does not imply I can prevent something.   I keel over with a brain aneurysm and break a table.  I am responsible for breaking that table but if my brain condition was undiagnosed I could hardly have foreseen or prevented it.  If I am a chairman of a multinational which employs slave labour in a third world country I am responsible for that.  If I didn't know about it and I put it right I may not need to resign but it happens on my watch and I am responsible for it - 

 

I'm in Scotland so things may be different.   But in Scotland if I buy a defective cake from a supermarket and it makes me ill I can sue the supermarket.  I don't need to be concerned where in the chain the defect occurred. The supermarket may well be able to recover from whoever was negligent but I have a right of relief directly against them.  Its why they should exercise some care in choosing who supplies their cakes.  Don't confuse final liability with responsibility.  They are different things.

 

But we're not talking precise legal liability here we're talking about taking responsibility for your product and making an apology when something goes wrong with that product.  

 

If something goes wrong with a piece of work I am responsible for delivering, call my silly but I don't scrabble around passing the buck.  I accept the client is contracting with me.  I accept it is my responsibility to put it right and I apologise.  It's that simple.  I will explain to the client what happened and that a third party that I chose to sub contract to caused the problem but I will take responsibility.

 

 I accept it may different in the US or Canada - although good practice tends to be the same everywhere. 

 

Perhaps I will just need to politely beg to differ and go back to using One Note instead.  There are always different points of view to every situation.

Well-stated. I think we can agree to disagree. I should note that I am not an Evernote employee, I don't represent the company's position, and I don't know what they think about the issues we have debated here. I am merely stating my personal thoughts on apologies.

[DavidB22 4]

GrumpyMonkey I have to concede what you say makes sense.  A meaningless apology is pointless.

[GrumpyMonkey 4,319]

GrumpyMonkey I have to concede what you say makes sense.  A meaningless apology is pointless.

Don't concede yet

Of course, I don't think you were seeking a meaningless apology -- I phrased it that way because that is my opinion about the motions that people and companies sometimes go through to placate our anger.

I suppose rituals like this actually do serve a purpose and have some meaning, though I tend to see their significance more in terms of signaling an organization's intentions (not always clear what a conglomeration of individuals "thinks"), recognition of others who depend upon them, a ritualized reversal of power relations, and so forth.

I am personally interested in other things with an apology, but, as I mentioned above, that is just my opinion.

[DavidB22 4]

I should be working not creating this diversion for everyone - please don't agree with me.  

 

GrumpyMonkey and Scott you both make good points. The value of these exchanges is how often you realise that having started from a diverse position we do actually agree on most points.

 

And as you say we can agree to disagree.

 

I enjoyed the exchange of views though

[ScottLougheed 1,316]

https://discussion.evernote.com/topic/61752-important-information-regarding-your-discussion-forum-account/?p=285200

There we are! Responsibility taken.

Indeed there is some complexity in liability/responsibility distinctions, and I was definitely glossing over that complexity.

[DavidB22 4]

A very good clear post and as you say responsibility clearly taken - thanks

[qwavel 7]

Yikes, this isn't why I started this thread, but...    I don't care how EN works internally - if they want to pay someone else to provide their forum service then fine, but they are responsible for it.  

 

Getting back to my original point.  I am aware of all the advice about best practises for passwords, but that doesn't mean I necessarily followed them in 2011.  I don't keep a historical record of all my forum passwords!  

 

Also, I think many people probably used the same pw for EN and for the forums, thinking that it was the same account.

[GrumpyMonkey 4,319]

Yikes, this isn't why I started this thread, but...    I don't care how EN works internally - if they want to pay someone else to provide their forum service then fine, but they are responsible for it.  

 

Getting back to my original point.  I am aware of all the advice about best practises for passwords, but that doesn't mean I necessarily followed them in 2011.  I don't keep a historical record of all my forum passwords!  

 

Also, I think many people probably used the same pw for EN and for the forums, thinking that it was the same account.

There are no important passwords if you are using best practices, and there shouldn't be any three-year old passwords either. Each site / service gets its own, unique password. Each password is long. Each password is random. And, each one is changed every so often (I generally prefer every few months or so for low value sites). A password manager, of course, makes all of this simple.