Evernote hacked: 50 million passwords reset


Online note-taking service Evernote has been hacked and is resetting all its 50 million users' passwords as a precaution.

The Redwood City, California-based company said in a post published late Saturday that an attacker had been able to access sensitive customer information and that every user would have their account reset "in an abundance of caution." In a follow-up email sent Sunday, the company said it believed the attack "follows a similar pattern of the many high profile attacks on other internet-based companies that have taken place over the last several weeks" -- an apparent reference of recent breaches at Facebook, Twitter, and Apple. The cyberattacks were associated with exploits of Java plug-in for browsers.

In January, the U.S. Department of Homeland Security advised people to disable Java software on their computers to avoid potential cyberattacks. Oracle released a patch for Java within days of the advisory, but experts warned that there is no full-proof way to protect against this type of attack because there is always going to be flaws in software.

However, the Evernote said the attack did not appear to be linked to Java. The company said the attack, which it described as "sophisticated," was able to compromise usernames, email addresses and an unspecified number of customers' encrypted passwords. Decoding such passwords can be difficult but possible.

Evernote said it has seen no evidence that any customer data had been tampered with or that any payment information had been compromised. Users will be asked to reset their passwords upon signing into their accounts on Evernote.com.

In a blog post, the company offered security tips for protecting users' data, including: avoiding simple passwords based on dictionary words, not using the same password on multiple sites and not clicking on "reset password" requests in emails.