Online storage service Evernote warned users on March 2 that unknown attackers had compromised its system and gained access to the information on more than 50 million users, including encrypted password files.
Evernote moved to assure customers that their data and payment information remained safe, but conducted a password reset for all 50 million users across its services. The breach, which apparently happened in late February, allowed the attackers to access user names and email addresses of Evernote users, the company stated. The criminals also accessed the encrypted password file, the company said in a post on its Website.
“Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)” the company stated on the site. “While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure.”
To store secure passwords, the data is typically hashed, or scrambled using a one-way encryption function. Strong hashing uses “salt,” which is a random number that prevents attackers from easily using a variety of attacks.
Cloud service companies, which collect information on a massive number of users, have become targets for hackers and cyber-criminals. In June 2012, business networking service LinkedIn acknowledged that the hashed, but not salted, passwords for nearly 6.5 million users had been stolen. The company became the target of a class-action lawsuit later that month.
So far, neither the Evernote password file nor decrypted passwords appear to have been posted online, said Steve Thomas, co-founder of PwnedList, which tracks accounts information that has publicly been posted.
Evernote claims that it had used a unique seed, or salt, for the password hashing, to make recovering the passwords much more difficult for the attackers, assuming that they did not get access to the salts along with the passwords, Thomas said.
“The concern is where the salt was kept, and if the hackers got access to the salt,” he said. “If the salt was also stolen, or there was a unique salt for each password, but the salt was also in the database, then we would expect with a little bit of effort, a large number of the hashes can be reversed.”
If some fraction of the password file can be decrypted, it still represents a danger for users, even after they have changed their passwords on Evernote’s system, because a large percentage of individuals—between 50 percent and 80 percent, according to studies of previous breaches—reuse their passwords.
“Individuals should also be concerned about any other services where they used the same password as the one that was stolen,” Thomas said. “Individuals should always assume that a password is vulnerable, regardless of if it was hashed and salted, as soon as it is in the hands of a hacker.”
Evernote represents a treasure trove of user information. In June, Evernote announced it had 34 million users. That number expanded to 45 million in December and 50 million as of February.