Evernote, the online service that enables users to store and sync all kinds of data across multiple devices, has become the latest major Web property to suffer a serious intrusion. The company said on Saturday that attackers had compromised some user information, including email addresses and hashed passwords.
Evernote officials said that they did not think the attackers were able to gain access to any of the data that users store on the service. However, the company said it was requiring that all users change their passwords immediately.
“In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed,” Dave Engberg, the Evernote CTO, said in a blog post.
“The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)”
Although the company does not say what hash algorithm it uses to protect passwords, it uses 64-bit RC2 to encrypt data within users’ notes.
“For Evernote’s consumer product, the current encryption algorithms are chosen more for exportability under the Commerce Department rather than strength, since our software permits the encryption of arbitrary user data with no escrow,” Evernote says in a support FAQ.
Evernote users have the ability to store just about any kind of data on the service, including text, video and other information. Users can encrypt data within specific notes, and the company doesn’t have a copy of users’ keys, so if the passphrase if lost or compromised, there’s no way for the company to recover that data.
Evernote sent all of its users an email detailing the incident and informing them that they need to change their passwords before logging in the next time.